Bug #17090

Use keys.openpgp.org as the default key server

Added by blakim 2019-09-24 07:41:02 . Updated 2019-09-30 17:17:16 .

Status:
Duplicate
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

The SKS Keyservers are susceptible to signature flooding (references below)
A lot of PGP software (Enigmail, GPG Suite, Android OpenKeychain) have switched to keys.openpgp.org,
a newly developed key server, which mitigates this bug as well as other privacy concerns with the SKS system.

We should switch to it as well. Because Tails is configured to use an onion key server by default, it is still
using the SKS system, even though Enigmail itself has made switch.

OpenPGP.org provides an Onion Service, which can be used as a drop in replacement for the current one:

hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

References


Subtasks


Related issues

Related to Tails - Feature #16575: Use a more reliable OpenPGP key server by default Duplicate 2019-03-19
Is duplicate of Tails - Bug #12689: gpg --recv-key often hangs due to unreliable keyserver Resolved 2017-06-13

History

#1 Updated by sajolida 2019-09-24 15:36:52

  • related to Feature #16575: Use a more reliable OpenPGP key server by default added

#2 Updated by sajolida 2019-09-24 15:38:05

  • related to Bug #12689: gpg --recv-key often hangs due to unreliable keyserver added

#3 Updated by sajolida 2019-09-24 15:39:55

Thanks for starting this discussion, I didn’t dare starting it myself until now :)

I love the concept of keys.openpgp.org and the situation of the SKS pool is very concerning. I’ve also had continuous problems using the default keyserver configuration of Tails for years and had to overwrite it manually with —keyserver almost every time (see Feature #16575).

My only concern with keys.openpgp.org right now is that it has very little keys right now: most of my contacts are not there yet.

On the other hand, I wonder which fraction of OpenPGP users rely on key servers at all.

At least from my own experience I have the impression that key servers are used a lot by the techie side of OpenPGP users (free software developers, security people, etc.) while the activist side of OpenPGP users don’t use them a lot (for different reasons) and are more used to send their public keys in attachment on demand (Enigmail makes this super easy).

So switching to keys.openpgp.org might not be problematic for the less tech-savvy portion of our audience.

#4 Updated by intrigeri 2019-09-30 17:15:56

  • is duplicate of Bug #12689: gpg --recv-key often hangs due to unreliable keyserver added

#5 Updated by intrigeri 2019-09-30 17:16:09

  • related to deleted (Bug #12689: gpg --recv-key often hangs due to unreliable keyserver)

#6 Updated by intrigeri 2019-09-30 17:17:16

  • Status changed from New to Duplicate

Thanks everyone! I’ve indeed mentioned this possibility on Bug #12689#note-19, which we use to track the problem and the candidate solutions, so I’m closing this as a duplicate.