Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mathstodon.xyz is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance for maths people. We have LaTeX rendering in the web interface!

Administered by:

Server stats:

2.7K
active users

mathstodon.xyz: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#keyserver

0 posts0 participants0 posts today
Public
PGPkeys EU

We are pleased to announce the release of Hockeypuck 2.2.

Hockeypuck is a modern synchronising keyserver that is optimised for ease of deployment, particularly in containerised environments via docker-compose.

Hockeypuck 2.2 is a significant upgrade that includes the following changes:

# Features

• Fully stable sync
• Improved multithreading safety
• Deletion of personal data from hard-revoked keys
• Admin deletion of keys via signed submissions
• Detached revocation certificate support

# Bugfixes

• Missing direct key signature validation
• Missing subkeys with v3 sbinds
• Missing CORS headers
• HTTPS binding errors
• Many cosmetic improvements

# Deprecations

• SKS-keyserver recon compatibility
• UAT image packets
• User deletion and replacement of keys via `/pks/delete` and `/pks/replace` endpoints

More information: github.com/hockeypuck/hockeypu

GitHubHomeOpenPGP Key Server. Contribute to hockeypuck/hockeypuck development by creating an account on GitHub.
#gpg#gnupg#hockeypuck
Public
Pirate Praveen

Anyone familiar with writing database queries and want to help #mailvelope #openpgp #keyserver work with #ferretdb instead of non-free #mongodb ?

github.com/mailvelope/keyserve

Background: mailvelope keyserver is the only openpgp keyserver software I found that supports key removals and GDPR-compliant/abuse resistant (the commonly used keys.openpgp.org software hagrid is not supported for outside deployments).

All older key server software don't do email verification and cannot remove keys.

GitHubSupport ferretdb to replace mongodb · Issue #142 · mailvelope/keyserverBy pravi
Replied in thread
Public
Kevin Karhan :verified:

@anarchopunk_girl @fla @Mer__edith @signalapp

Also #Signal collects #PhoneNumbers which are hard if not illegal to obtain anonymously depending on one's juristiction and those ain't even #TechnicallyNecessary unlike #Apps that do #E2EE with #OpenPGP on #SMS where it makes sense to offer people the convenience of a #Keyserver offered by the maintainers.

Personally, #Signal has a stench closer to #ANØM / #OperationIronside / #TojanShield than #EncroChat IMHO...
en.wikipedia.org/wiki/ANOM

en.wikipedia.orgANOM - Wikipedia
Public
ulrike

[en] is there any valuable reason left why people in 2023 don't upload their public OpenPGP key to keys.openpgp.org and rather ask to request their key by sending them an unencrypted email? Which problem is this trying to solve? My feeling is this is a misunderstanding of the OpenPGP ecosystem.. #openpgp #keyserver

Public
Christiaan :nixos: :flag_nl:

#HomeLab question; after figuring out why I couldn't connect to my server the other day I'm looking for a solution. Like a responsible person I've installed my server with #FullDiskEncryption but that means manual intervention after a reboot (namely entering the decryption password).

Automatic updating also means regular reboots, but I don't want to deal with the password. I've heard a #keyserver might be a solution, but I hope there are other solutions available?

Public
Ru

Hmm, wanted to revoke my old #GPG keys - created 3 years ago - at least one of which exists on a #keyserver.

Cannot remember the passphrase to even one! I know I have very elaborate hints written on a piece of paper, but I also don't have the physical paper with me, because reasons.

Public
tedu
TLDR: linked list bad, SQLite good.

Also, my compilers prof would not approve of this line: "This is because the normal parser can not be reused: It is spread all over the source code."

hoot: https://twitter.com/lambdafu/status/1147162583969009664
@lambdafu: Recent reports on the #OpenPGP #keyserver certificate poisoning attacks have focused on the SKS keyserver implemented in OCaml, which is basically a replicated, censor-resistant, append-only database for unverified key material. But what about #gnupg's role in the attack? /thread

@lambdafu: Historically, the PGP tool used the same OpenPGP data structure internally and externally: PGP Keys (public or secret) are a sequence of OpenPGP packets. First there is a signing key packet, then a user id packet, followed by a binding signature, and then web of trust signatures.

@lambdafu: The old pubring.gpg is such a sequence of OpenPGP packets. All operations on the list of keys (looking up a key by id or user name, searching for a trust path in the web of trust, deleting a key, etc) require a linear scan, fully parsing every packet from the top down.

@lambdafu: To speed this up, GnuPG uses pubring.kbx now, which is basically OpenPGP plus some extra metadata to allow fast-forwarding to the next key in the list without parsing it fully. It's a custom file format implemented in C, as all of GnuPG.

@lambdafu: By the way, did you know GnuPG has a second PGP parser just for the keyring? This is because the normal parser can not be reused: It is spread all over the source code. All processing in GnuPG is a side effect of parsing OpenPGP data structures, so a second parser was needed.

@lambdafu: Anyway, the keybox format is only a constant speed up, it still requires linear scanning of all keys. And to prevent race conditions, keys are appened by copying the whole file, then appending a single key. Key import is quadratic in disk I/O and runtime for the number of keys.

@lambdafu: This not all, though. Parsing a single key builds up a data structure. Part of the data structure is a list of OpenPGP packets that make up the key. This list is implemented as a singly linked list, which is the simplest, but also slowest way to implement a list.

@lambdafu: Here is how a new signature is appended to the list of packets (kbnodes) that make up the key. The packet is appended at the end of the list "root", but to find the end, the add_kbnode function iterates over the whole list every time. This is quadratic time in number of packets. https://pic.twitter.com/kDzgSYMYGg

@lambdafu: Simply caching the tail of the list would solve this, but because add_kbnode is called in many places, this can not be done safely without auditing a lot of code. I tried caching it in the import, and it made the import very fast, but then GnuPG would hang when doing other stuff.

@lambdafu: To fix this properly, GnuPG should use a database library, such as #sqlite. There is a lot of reluctance relying on other people's code, which is why this did not happen. Although it's always a trade off, I would trust my life to sqlite (probably have already!), but not to GnuPG.

@lambdafu: tl;dr: Don't use linked lists, don't implement your own data structures. https://www.youtube.com/watch?v=YQs6IC-vgmo
TwitterMarcus Brinkmann on TwitterBy Marcus Brinkmann
#sqlite#gnupg#keyserver
Public
erAck

SKS Keyserver Network Under Attack
gist.github.com/rjhansen/67ab9

Mitigations:
"High-risk users should stop using the keyserver network immediately."
"
1. Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
2. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
"

GistSKS Keyserver Network Under AttackSKS Keyserver Network Under Attack. GitHub Gist: instantly share code, notes, and snippets.
#OpenPGP#SKS#keyserver
Public
erAck

Tried to upload my #OpenPGP key including all signatures to the new keyserver at keys.openpgp.org/ and got

"413 Request Entity Too Large"

With both using the web form and via curl.

So I guess in that case one could upload a --export-options export-minimal key.. but why should I strip my key of all signatures? Then I figured that keyserver doesn't distribute third-party signatures anyway, see their FAQ keys.openpgp.org/about/faq

keys.openpgp.orgkeys.openpgp.org
#PGP#GnuPG#keyserver
SearchLive feeds
About