Default GPG keyservers

HulaHoop · September 24, 2021, 11:36pm

An interesting conversation on the GPG mailing list that’s been ongoing for months. This info should help us choose a good set of default keyservers for user protection from fake signatures and/or DoS against the WoT.

security-misc /etc/skel/.gnupg/gpg.conf doesn’t define any currently.

Problem:

The keystore trilemma is not yet solved. You can have two out of three
of decentralisation, universality, and abuse-resistance. WKD is
decentralised and abuse-resistant but is not universal. keys.openpgp.org
is universal and abuse-resistant but highly centralised (and
functionally limited). Synchronising keyservers (SKS and Hockeypuck) are
decentralised and universal but abuse-prone.

Signature attestations will help tackle many of the abuse (and
functional limitation) issues, if we can get them standardised in a
future openpgp update (rfc4880tris?). But we will probably have to live
with more than one system for the foreseeable future, given the
different compromises required.

Solution:

Hockeypuck is an alternative keyserver implementation written in Go. It’s being extended to verify sigs to stop key spam.

github.com/hockeypuck/hockeypuck

Concerns regarding the authenticated key replacement mechanism

opened 09:13AM - 30 Jun 21 UTC

teythoon

bug

I have grave concerns regarding the authenticated key replacement mechanism as p…roposed by [HIP-1](https://github.com/hockeypuck/hockeypuck/wiki/HIP-1:-Regaining-control-over-public-key-identity-with-authenticated-key-management) and implemented in current hockeypuck versions. I believe it to be not complete, not functional, and dangerous. First, because it uses OpenPGP's detached signature mechanism, it requires a signing-capable (sub)key. Therefore, the mechanism fails to protect OpenPGP certificates without signing-capable (sub)key. The solution is not complete. Second, after a key has been replaced with a clean version, presumably to get rid of a flood of certifications, an attacker can simply re-add the certifications. The replacement mechanism does not assure sovereignty, only a momentarily relief. Therefore, the solution is not functional. I haven't looked into how gossiping plays into that, but if gossiping uses the same policy as updates using hkp, then gossiping will also re-add any third party certifications. Third, the pair of `keytext` and `keysig` are a capability to reset the copy of the certificate on the server to `keytext`. If a malicious party ever gets hold of such a pair, then they have the ability to remove updates from the certificate stored on the server. Undoing an update that extends the validity period of a certificate leads to an DoS because the certificate can no longer be used (e.g. for encryption). Undoing an update that revokes a key leads to a certificate being used even though it shouldn't, compromising authenticity and confidentiality. Therefore, I conclude that the mechanism is dangerous.

Here are the hockeypuck servers I could find, all synchronizing properly and apparently exchanging data (minus the unwanted packets) with the SKS servers that are synchronized:
http://keys.andreas-puls.de/pks/lookup?op=stats
http://keys2.andreas-puls.de/pks/lookup?op=stats
http://keys3.andreas-puls.de/pks/lookup?op=stats
http://pgp.cyberbits.eu/pks/lookup?op=stats
http://pgp.re:11371/pks/lookup?op=stats
https://pgpkeys.eu/pks/lookup?op=stats
https://keybath.trifence.ch/pks/lookup?op=stats
https://keyserver.trifence.ch/pks/lookup?op=stats
https://east.keyserver.us (stats page is misleading; it does sync)

https://west.keyserver.us

https://keyserver.dobrev.eu (down right now, but is normally reliable)

https://openpgp.circl.lu (stats page is misleading; it does sync)

https://keyserver.snt.utwente.nl

Staying updated:

A dev put together a live graph classifying keyserver types and status. This could serve as a source for new entries in case the list becomes obsolete with time.

https://spider.pgpkeys.eu/sks-peers

It also hosts graphs at:
https://spider.pgpkeys.eu/graphs
https://sks-status.gwolf.org/

Patrick · September 28, 2021, 10:41am

What is universality?

Patrick · September 28, 2021, 10:47am

If I understand that right, then Hockeypuck is not not abuse resistant, hence the same mess that lead to creation of gpg --recv-keys fails / no longer use keyservers for anything, hence unsuitable?

That would speak for new, fixed keyserver - keys.openpgp.org or no default gpg keyserver.

HulaHoop · September 29, 2021, 3:14pm

I’m assuming that the same key can only be related to this particular email, on all servers.

They do have some protections as a WIP, not perfect but more than anything else outthere today and definitely better than SKS or relying on a single server.

HulaHoop · October 6, 2021, 9:10pm

I Tested the servers on this list and only 4 work and they don’t even have your key on there. Only three recognize the Debian key so I don’t think making them default makes sense. Best to let devs decide on how users should fetch and verify their repo signing keys.

Patrick · October 7, 2021, 6:41am

Not sure we can blame them?

For example https://keys.openpgp.org / new, fixed keyserver - keys.openpgp.org (not in this forum thread) only people with access to my e-mail address / the whonix.org domain name can upload. They’re using verification codes sent by e-mail. Not perfect, not against advanced adversaries but stopping most spam. Since it wasn’t done, they cannot be blamed.

Dunno how key upload works for key servers mentioned in this forum thread, how it would be resolved if a malicious key was uploaded and one wanted to replace it with a legitimate one etc.

I’d wait what kind of default emerges in Debian or similar or what gains traction. Until then, no default key server and users can opt-in to use one.