[Keyserver] Hockeypuck 2.1.0 released

Casey Marshall casey.marshall at gmail.com
Mon Dec 14 17:21:03 CET 2020


>
> Date: Fri, 11 Dec 2020 17:56:24 +0000
> From: Stefan Claas <spam.trap.mailing.lists at gmail.com>
> To: Casey Marshall via Gnupg-users <gnupg-users at gnupg.org>,
>         sks-devel at nongnu.org, Casey Marshall <casey.marshall at gmail.com>
> Subject: Re: [Keyserver] Hockeypuck 2.1.0 released
> Message-ID:
>         <
> CAC6FiZ6EPR-eUD0AzMCVz7m4c9Hxga1iSfG7jSC2HXwsOvFmWA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
> On Fri, Dec 11, 2020 at 10:25 AM Werner Koch <wk at gnupg.org> wrote:
> >
> > On Thu, 10 Dec 2020 11:07, Casey Marshall said:
> >
> > >    - Authenticated key management. This adds a couple of extra
> endpoints
> > >    which allow a key owner to replace and delete their key,
> authenticated by
> > >    signing the armored key in the request. This allows a key owner to
> still
> > >    update their own key once it has been inflated beyond the key
> >
> > Finally after more than 20 years waiting for someone to implement such a
> > feature.  Yeah.  Where can I find the specs?
> >
> > Did you consider that an authenticated request to delete a key may not
> > actually remove the key from the keyserver?  Instead the the primary key
> > should be kept and the server prepared to receive and merge even
> > unauthenticated revocation certificates.  This is important in case of a
> > lost key (or passphrase forgotten) so that a pre-created revocation
> > certificate can be uploaded.  Also avoids DoS after a key compromise.
> Hi Werner and Casey,
> I have a question for both of you.
> When I reported a while ago on GitHub about a fake uat packet on Werner's
> key you quickly fixed the issue and the added image of 'Donnie' no longer
> showed up at the Ubuntu keyserver. Interestingly now GitHub shows zero
> issues as of today, while yesterday still some issues where open and a lot
> of them closed.
>

Hockeypuck has several issues still open on Github:
https://github.com/hockeypuck/hockeypuck/issues


> Now my second question how is/was this done with Werner's key?
> SKS still shows Werner's key with signatures, while the Ubuntu keyserver
> shows only a very small key now. Before that the Ubuntu key server showed
> the sigs too and additionally the fake uat packet (Donnie image).
> Does this mean that a GnuPG user can modify his key in such a way
> and re-submit it, so that the result is now like Werner's key or can a
> Hockerpuck operator do this (on behalf) of the key owner? The key
> in question, on the Ubuntu keyserver has also no longer a UID, which
> I thought only sequoia-pgp can handle and not GnuPG.
>
> https://keyserver.ubuntu.com/pks/lookup?search=0x7b96d396e6471601754be4db53b620d01ce0c630&fingerprint=on&op=vindex
>
> http://keys2.andreas-puls.de:11371/pks/lookup?search=0x7b96d396e6471601754be4db53b620d01ce0c630&fingerprint=on&op=vindex


The fix to this issue was to have Hockeypuck remove all packets lacking a
currently-valid self-signature from responses. This removes fake packets
(like the uat example) as well as expired identities. The self-signature on
the UID packet in your example expired 2008-12-31, so it (and all of its
third-party signatures) are pruned from the response. Only the public key
packet remains.


> Regards
> Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201214/b8d45d6c/attachment.html>


More information about the Gnupg-users mailing list