Questions about OpenPGP best practices

Niels Laukens niels at dest-unreach.be
Tue Feb 26 08:52:10 CET 2013


On 2013-02-26 07:51, Daniel Kahn Gillmor wrote:
> On 02/25/2013 02:54 PM, Peter Loshin wrote:
>> 1. "Don't use pgp.mit.edu". Which keyserver *should* be used? I assume
>> that a pool is better than a particular server; is there one
>> particular pool that is preferred? What about
>> http://pool.sks-keyservers.net/?
> 
> You should use hkp:// instead of http://.  Using http:// implies a
> simple web request (e.g. , while hkp:// implies the structured key
> lookups keyservers are known to use.
> 
> and you may want to use ha.pool.sks-keyservers.net (this is a
> high-availability pool -- only keyservers that operate behind HTTP
> reverse proxies are included.  this mode of operation is considered a
> best-practice for sks keyserver operators).

I find *.sks-keyservers.net unusable (unfortunately).

More often than not, I get this:
gpgkeys: HTTP fetch error 7: couldn't connect: End of file

tcpdump shows me that the server just closes the connection without an
answer.
It does work from time to time, so when doing a manual --recv-key, I
usually get the key within a few tries. But when using e.g. caff (which
does not retry), it's unusable.

So I'm still looking for a good, working keyserver...

And while pgp.mit.edu might not be the best keyserver, it works... (from
my experience at least).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 906 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130226/24b4b977/attachment-0001.pgp>


More information about the Gnupg-users mailing list