On Sun, Jul 14, 2013 at 9:46 AM, kardan <kar...@riseup.net> wrote: > Thanks for the inspection! From my limited view I can not say what > makes a keyserver legitmate. This is what whois says for me > > Domain Name: SKS-KEYSERVERS.NET > Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM > Whois Server: whois.PublicDomainRegistry.com > Referral URL: http://www.PublicDomainRegistry.com > Name Server: NS1.KFWEBS.NET > Name Server: NS10.SKS-KEYSERVERS.NET > Name Server: NS11.SKS-KEYSERVERS.NET > Name Server: NS12.SKS-KEYSERVERS.NET > Name Server: NS13.SKS-KEYSERVERS.NET > Name Server: NS6.SKS-KEYSERVERS.NET > Status: clientTransferProhibited > Updated Date: 17-feb-2013 > Creation Date: 01-dec-2006 > Expiration Date: 01-dec-2015
Did you follow the referral and query whois.publicdomainregistry.com to get the more detailed information about the domain? For example, http://smartwhois.com/whois/SKS-KEYSERVERS.NET will follow the referral and yields the registrant's contact information (which I will not include here). > Searching for the owner via gpg brings different results without > success. I assume the pool is not that well mantained? I searched for the registrant of sks-keyservers.net on the keyservers and found two current, valid public keys for them: a 4096-bit RSA key signed by lots of people (0x6B0B9508) and a 15,360-bit(!) RSA key with only a self-sig (0x43E67CF7). My understanding is that the pool and the SKS keyserver software it runs is well-maintained. http://www.sks-keyservers.net/status/ shows 53 active servers in the pool. > * Connected to pool.sks-keyservers.net (198.82.169.69) port 443 (#0) > * found 1 certificates > in /etc/ssl/certs/hkps.pool.sks-keyservers.net.pem > * server certificate verification failed. > CAfile: /etc/ssl/certs/hkps.pool.sks-keyservers.net.pem CRLfile: none Interesting. According to http://www.sks-keyservers.net/overview-of-pools.php (see the very bottom), the pool uses its own CA to sign server certs for HKPS servers it lists. Server certificates for pool servers are signed by the pool CA. If the certificate in /etc/ssl/certs/hkps.pool.sks-keyservers.net.pem is a server cert for one specific HKPS server in the pool, you will get certificate errors when you query other servers in the pool (as they each have their own unique certificate). They pool CA certificate is available at https://sks-keyservers.net/sks-keyservers.netCA.pem Do you have GnuPG configured to use the CA certificate for the pool? It looks like you're telling GnuPG to use one particular server certificate as the CA, which won't work. When I downloaded the pool CA and performed a key search over HKPS as follows, $ gpg2 --search --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=./sks-keyservers.netCA.pem 0xDA122186 everything works as expected. (0xDA122186 is the KeyID for one of my own keys.) You can also specify the ca-cert-file in your config file: ~/.gnupg/gpg.conf: keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem The PEM certificate you mentioned, > SSL certificate for hkps.pool.sks-keyservers.net: > > -----BEGIN CERTIFICATE----- > MIIGkzCCBXugAwIBAgIDCsjWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ [snip] Appears to have been issued by StartSSL, a well-known CA, and has not been signed by the pool CA. The key is issued with a CN=www.secretresearchfacility.com. There is a pool key server running under that domain, keyserver.secretresearchfacility.com, but it's running on a server that uses SNI to use multiple SSL certificates on a single server. GnuPG appears to support SNI and so works correctly (gpg2 --search --keyserver hkps://keyserver.secretresearchfacility.com --keyserver-options ca-cert-file=./sks-keyservers.netCA.pem 0xDA122186 works properly) but does curl? If not, curl would not specify the correct hostname it's looking for and the server (which doesn't know what hostname the client wants) would present its default CA, which is the StartSSL-issued one. Cheers! -Pete -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
