Re: PGP kerserver infrastructure
In message <Pine.LNX.3.96.1000629104337.11811B-100000@Overkill.EnterZone.Net>, John Fraizer writes:
While I agree with the statement, I take exception to any notion that _any_ service we provide would be "marginal." Thus far, my network has a higher uptime percentage than any carrier we interconnect with, period, the end. We planned, built and operate a regional exchange, including the route servers, that has been live 24/7 for 11 months. That is 0% downtime for the route-server platform and the exchange fabric.
The issue isn't so much network availability -- though a key server designed to meet the needs of NANOG folks is interesting, since they most need to talk to each other when the net isn't working well -- as service availability. That has all sorts of implications at the application level. --Steve Bellovin
On Thu, Jun 29, 2000 at 11:29:39AM -0400, Steven M. Bellovin wrote:
The issue isn't so much network availability -- though a key server designed to meet the needs of NANOG folks is interesting, since they most need to talk to each other when the net isn't working well -- as service availability. That has all sorts of implications at the application level.
Like RIPE, pgpkey (rfc2726) support is coming to the RADB Real Soon Now. IRRd (the backend of the RADB) also has had work recently put into the issue of verifying database synchronization. This functionality will be available to the IRRd community in the next release. But a small (and incomplete) preview: $ whois -h whois.radb.net "!j-*" RADB:Y:14679-22498 ANS:Y:1-5855 RIPE:N:0-12149653 APNIC:N:0-240883 VERIO:Y:1295-3227 FGC:Y:650-1821 [snip] Field explanation: db-name:mirrorable:lowest_journal-currentserial:last_export db-name: obvious mirrorable: whether or not the querant is allowed to mirror this db. lowest_journal: the starting range at which a mirror can be satisfied. always 0 for not-mirrorable. currentserial: obvious last_export: for databases that are exported to the ftp area, the last serial number at which the database was exported. Useful for databases which are updated only periodically and don't need to be mirrored real-time. (Not implemented yet.) One of the missing components is the repository object to be supplied by rps-dist which will allow you to check a secondary or tertiary mirror's currentserial against the primary repository. But at the moment, the list published at http://www.radb.net/docs/list.html provides a good start. Between the current polling mechanism, the planned flooding mechanism for rpsl-dist and the above for verifying synchronization, using the IRR may be a reasonable storage location for PGP Keys. (N.B.: The !j mechanism is a IRRd-only query extension at this point. But we are speaking to the other IRR software developers about providing similar support.)
--Steve Bellovin
-- Jeffrey Haas - Merit RSng project - jeffhaas@merit.edu
Hey, just a thought... does anyone know the "edge" of what say, Americans, are allowed to discuss with , say, non-American's, with respect to crypto... I got zapped for an email to Australia once... (early SSLeay) Just thought someone who was up on the current "state of affairs" might be willing to post. I know some things have changed recently.... Listening..... :) Jeff Haas wrote:
On Thu, Jun 29, 2000 at 11:29:39AM -0400, Steven M. Bellovin wrote:
The issue isn't so much network availability -- though a key server designed to meet the needs of NANOG folks is interesting, since they most need to talk to each other when the net isn't working well -- as service availability. That has all sorts of implications at the application level.
Like RIPE, pgpkey (rfc2726) support is coming to the RADB Real Soon Now. IRRd (the backend of the RADB) also has had work recently put into the issue of verifying database synchronization. This functionality will be available to the IRRd community in the next release.
But a small (and incomplete) preview:
$ whois -h whois.radb.net "!j-*" RADB:Y:14679-22498 ANS:Y:1-5855 RIPE:N:0-12149653 APNIC:N:0-240883 VERIO:Y:1295-3227 FGC:Y:650-1821 [snip]
Field explanation:
db-name:mirrorable:lowest_journal-currentserial:last_export
db-name: obvious mirrorable: whether or not the querant is allowed to mirror this db. lowest_journal: the starting range at which a mirror can be satisfied. always 0 for not-mirrorable. currentserial: obvious last_export: for databases that are exported to the ftp area, the last serial number at which the database was exported. Useful for databases which are updated only periodically and don't need to be mirrored real-time. (Not implemented yet.)
One of the missing components is the repository object to be supplied by rps-dist which will allow you to check a secondary or tertiary mirror's currentserial against the primary repository. But at the moment, the list published at http://www.radb.net/docs/list.html provides a good start.
Between the current polling mechanism, the planned flooding mechanism for rpsl-dist and the above for verifying synchronization, using the IRR may be a reasonable storage location for PGP Keys.
(N.B.: The !j mechanism is a IRRd-only query extension at this point. But we are speaking to the other IRR software developers about providing similar support.)
--Steve Bellovin
-- Jeffrey Haas - Merit RSng project - jeffhaas@merit.edu
On Thu, 29 Jun 2000 14:02:42 CDT, Rick Irving said:
Hey, just a thought... does anyone know the "edge" of what say, Americans, are allowed to discuss with , say, non-American's, with respect to crypto...
I got zapped for an email to Australia once...
Zapped by whom? And what did you say? Note that the *discussion* of crypto has always been pretty open, especially as regarding published algorithms (they still get touchy if you start chatting about NSA-only code ;). Note that discussion can be quite detailed - the source code of PGP was released as a book.. ;) The *big* problem was (until lately) the inability to export *source code* or *object code* for crypto software. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
I got zapped for an email to Australia once...
Zapped by whom? And what did you say?
Not much... fortunately. It was the operator of the list who was aware of the issue.... and warned me. At the time, this was an open source crypto site and list , we, as American's, were not supposed to participate.. 94 - 95 ? However, we could lurk. ... I received a rather scathing e-mail, as the Aussie's were rather "peeved" at the imbalance of trade. (at that time) Turned out, the American's were one of the largest downloaders of those lib's.... Of course, that was about a life time, or two, ago.... I am not personally too familiar with the issue's involved, just thought I would ask before I start receiving nasty e-mails... "Safe, rather than Sorry" is more than just a religion, errr, on second thought, no, it isn't.. ;)
source code of PGP was released as a book.. ;)
That caused trouble in it's own time, as well. ;)
The *big* problem was (until lately) the inability to export *source code* or *object code* for crypto software.
This is what I am asking...
-- Valdis Kletnieks Operating Systems Analyst Virginia Tech
-------------------------------------------------------------------- Part 1.2Type: application/pgp-signature
As Valdis Kletnieks says, discussion of crypto has never been too much of a problem; much to the agony of some sick, sick bastards in various three-letter organizations of the federal gov't, it remains pretty much legal to discuss pretty much anything, and the courts continue to frown on suppression of protected speech, prior restraint, and so on. Though as any number of people can assure you, the fact that a federal regulation is unconstitutional isn't much comfort while it's being used to persecute you. For the longest kind of time, the same sickoes managed to weasel regulations into place that outlawed distribution of software, on the grounds that it was a munition, like a bomb or a tank or a fighter jet or something. At nearly the same time (but I'm sure there's no connection, it's a complete coincidence) djb won a federal court ruling that source code was protected speech, and the export restrictions were _dramatically_ relaxed. In particular, while there remain some licensing restrictions for exporting commercial binary crypto code, open source stuff can be pretty freely shipped about, you just need to notify some email addr or another of the web site where you're offering the code. In principle you aren't supposed to make it available to a half-dozen naughty countries that our gov't continues to want to embargo or something, but you as the provider of the code on the net are _not_ charged with enforcing that. At this point the only remaining barrier to wide open use of strong crypto in nearly all settings is the RSA patent. 3 months from now, to the day, that expires, and then the last barrier falls. -Bennett
participants (5)
-
Bennett Todd -
Jeff Haas -
Rick Irving -
Steven M. Bellovin -
Valdis.Kletnieks@vt.edu