Hi, I reuse the thread as this topic is quite related.
From the parcimonie [1] manual one sentence hit my brain: "if using hkps:// (which would be our second choice behind hkpms://)". To be honest, this is the first time I heard of hkpms, despite I am a reading some lists and try to keep up with security topics. As Wikipedia has no article [2] on this yet by this (eventually I find time in some quite night hour) I try to summarize my finding in case others find this useful or are keen to add something. [1] https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ [2] http://en.wikipedia.org/wiki/HKPMS This the parcimonie manual does say: > hkpms:// > We recommend using hkpms; see http://web.monkeysphere.info/ > for details. When a hkpms:// keyserver is being used, one needs to do > two additional steps since gpgkeys_hkpms does not work in the > torsocks wrapped environment parcimonie uses by default to run gpg. > > Torify gpgkeys_hkpms > > Just add the following line to gpg.conf: > > keyserver-options http-proxy=socks://127.0.0.1:9050 > > Hey, parcimonie, gpg is already torified > > Pass the --gnupg-already-torified switch to the parcimonie > daemon command-line. parcimonie will then rely on the > keyserver-options previously added to gpg.conf, and won't attempt to > torify gpg connections itself. < http://www.gossamer-threads.com/lists/gnupg/users/60543 in the nearer term, you could also use msva-perl with hkpms (if you want to verify remote hosts via the OpenPGP web of trust). < https://tails.boum.org/contribute/design/ Monkeysphere's hkpms:// support will be used as soon as possible in place of the hierarchical X.509 certification model. hkpms is available in Debian: msva-perl < http://packages.debian.org/jessie/msva-perl "Cryptographic identity validation agent" The Monkeysphere Validation Agent offers a local service for tools to validate certificates (both X.509 and OpenPGP) and other public keys. This package contains a perl implementation of a Monkeysphere < http://web.monkeysphere.info/FAQ/ In addition, this project being what it is, there is now also a Monkeysphere-enabled hkps ("hkpms") module provided with the Monkeysphere validation agent package (msva-perl in Debian). This uses the users monkeysphere validation agent, if running, to confirm the identify of the keyserver. The Monkeysphere developers have signed the host key of keys.mayfirst.org¸ so if you have a trust path to the Monkeysphere developers you can try using hkpms://keys.mayfirst.org. I found that Kristian's key is signed for hkpms too, while the manual also recommends to use a different pool server for parcimonie than for daily requests. > You may want parcimonie to use a different keyserver than the > one your usual GnuPG invocations do. This can be achieved by passing > to parcimonie a command-line option such as: > > --gnupg-extra-arg > "--keyserver=hkps://zimmermann.mayfirst.org > pub 4096R/40F3D015 2012-10-06 hkps://keys.kfwebs.net > hkpms://keys.kfwebs.net > https://keys.kfwebs.net > hkps://hkps.pool.sks-keyservers.net > hkpms://hkps.pool.sks-keyservers.net > https://hkps.pool.sks-keyservers.net > Fingerprint=29D2 ED98 74EE 2B60 3CE3 648E 8BF5 AD41 40F3 D015 To use hkpms with the above I add to ~/.gnupg/gpg.conf keyserver hkpms://hkps.pool.sks-keyservers.net keyserver-options http-proxy=socks://127.0.0.1:9050 $ gpg --search cia gpg: searching for "cia" from hkpms server hkps.pool.sks-keyservers.net gpgkeys: protocol `hkpms' not supported gpg: no handler for keyserver scheme `hkpms' gpg: keyserver search failed: keyserver error Of course! How should gpg know how to handle monkeysphere requests if it is not installed. So we need to install msva-perl. $ gpg --search cia Requesting a socks proxy for hkpms, but LWP::Protocol::socks is not installed. This will likely fail. Received 'ca-cert-file=/etc/ssl/certs/sks-keyservers.netca.pem' as an option, but gpgkeys_hkpms does not implement it. Ignoring... HTTPS error: 501 Protocol scheme 'socks' is not supported Currently msva-perl recommends liblwp-protocol-socks-perl but I usually drop recommendations by config due to limited disk space. So I also installed liblwp-protocol-socks-perl (maybe it should become a dependency of msva-perl in future versions). $ gpg --search cia gpg: searching for "cia" from hkpms server hkps.pool.sks-keyservers.net gpg: error reading key: public key not found Monkeysphere HKPMS Certificate validation failed: Failed to validate "https://hkps.pool.sks-keyservers.net"; through the OpenPGP Web of Trust. HTTPS error: 500 Can't call method "http_configure" on an undefined value gpg: key "cia" not found on keyserver This often puzzles me with gnupg. Gpg tells 'public key not found' which in the first place confuses me to think that no key CAN be found. Instead it would be better to suppress the info due to the connection issues. But it understand is sometimes hard to implement this for all unforeseen errors with underlaying connection layers. Ok. Now I need to understand and setup monkeysphere. What is it and what do I need to do? Have you ever thought: What about having a list of trusted IP addresses? Trusted means, I think the admins of this server are knowledged and responsible enough to take care, that all the applications on that server are not vulnerable for spambots, trojans, arbitrary code execution and other kind of remote usage. In other words: How to designate a host to only do "good" thinks. This is what Monkeysphere helps with. Monkeysphere manages your trusted ssh servers/clients stored in .ssh. Also it will keep a list of trusted TLS certificates. From the FAQ: > On a more generalized scale, the CA architecture is > obviously flawed, it isn't just us monkeys who think this. A number of > other people also complain about the problem of centralized authority > and wish there was something else. We would like to think that we are > creating a rallying point around this issue. We've learned > significantly handling things via the monkeysphere model. We've > started with ssh and https, but we definitely have hopes to extend > this reach. The project has proceeded one step at a time starting > with openssh and then we broadened the project to usurp the dominant > X.509 PKI for TLS/HTTPS authentication. How does it work? http://web.monkeysphere.info/doc/ To summarize what I have learned: The hkpms protocol provides monkeysphere authenticated secured connections for gpg key searches. As I send them through the TOR network they are also anonymized. This is quite quite as by this I can be sure, that no one can log which keys I am searching for, that they keep updated and even in case Kristian or any server in the pool is an evil eavesdropper, they do not know my WoT. (I hope somebody tells me, if I misunderstood or missed something.) This also is an issue for ssh. From /etc/monkeysphere/monkeysphere.conf: # Set whether or not to check keyservers at every monkeysphere # interaction, including all ssh connections if you use the # monkeysphere ssh-proxycommand. Leave unset for default behavior # (see KEYSERVER CHECKING in monkeysphere(1)), or set to true or false. # NOTE: setting CHECK_KEYSERVER explicitly to true will leak # information about the timing and frequency of your ssh connections # to the maintainer of the keyserver. #CHECK_KEYSERVER=true So something like parcimonie for gpg keys would be useful then as well. Finally I would like to ask in the round, if this evaluation from the FAQ is still uptodate: > Q: Do you have a keyserver you can recommend? > > The Monkeysphere developers currently recommend the SKS pool > hkp://pool.sks-keyservers.net. The SKS pool isn't perfect: there is > currently no encrypted transport between SKS servers, they don't yet > authenticate the gossip peers or integrity check the data streams, and > they sadly chew up a lot of ram in the face of connections with an > AWOL server. However, in our experience of trying other keyservers, > SKS so far is the best and it has good momentum behind it. Right now > it doesn't have gnutls bindings, but if you know ocaml, we'd love to > talk to you so that SKS (which is written in ocaml) can use gnutls for > OpenPGP certificates for TLS authentication, which would be a nice > thing to have. I'm curious about your corrections. Kardan -- Kardan <kar...@riseup.net> Encrypt your email: http://gnupg.org/documentation Public GPG key 9D6108AE58C06558 at hkp://pool.sks-keyservers.net fpr: F72F C4D9 6A52 16A1 E7C9 AE94 9D61 08AE 58C0 6558
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
