Return-Path: Received: from [10.144.0.7] (host-37-191-231-105.lynet.no. [37.191.231.105]) by smtp.googlemail.com with ESMTPSA id p67sm3493092lfe.14.2018.11.13.12.30.29 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Nov 2018 12:30:29 -0800 (PST) To: Mike References: <20181108105609.a41b529c7814ed6b2be95270@yakamo.org> <5ad629bd-f2cc-f33f-15ee-60f3ea3b1d5b@sumptuouscapital.com> <20181108204937.191f1f1b4fae0d599031b9b2@yakamo.org> From: Kristian Fiskerstrand Openpgp: preference=signencrypt Autocrypt: addr=kristian.fiskerstrand@sumptuouscapital.com; prefer-encrypt=mutual; keydata= xsFNBEdj//4BEAC3zjKRryW1mLec38x0w9ByG50h6KJddkZe3UNdGhAa3S5E4NAi/fUoe3gD LUDDmpHZNqtbMgrobwUNjLrp+PDZNdMJFAnbWXvmsMwuax0SWJzy4alem34tvir3a2PpnVr9 ylyAyxPChMM0ANelT/fiYIEysjAbHXjri89qdT+yA16CMljoun7vIOmq7ohKdNd1Dci6qoyj 0NllvR2AiBI+ZJnoF4hkRKO1PNUJROzn/ku88idaNkWyq7rREI+WkhS+K6xg1R/d6mTp+bHP tmwGlN4U1Lgx9qeitYzirkQeA8EGK/EEPPZG85WvXSrTftoPvQswOtW7I+jkTdd30GHXf6JH Rq4oR0mT65mqckycPjXNw6RM0fxyx06/kbVG8x3tzc3roJF+hR+h5QWIWsQOc3ZAhbJPWnfP D/kEN20yvb6EXWha+70QJbrBsnN0M8MLF7x+ZWTKESOVpshUBG67iq/FWCpv3st2VTq4M0Ep b/ORIKlfEgSsGv6waooF0ik41ey3k6PIcuHTq/sCoFoC6EH75wqsbmLkVSyqTKm3MSjlN26d ei425iCXJSyH0L1WmeS0i0rzcF5BCu9V280DmNFHWkr4iHiyrVcNyccocMTeh6/ZG7XSI0wc TONVNnKtofVHkzwHMdDlDx4lFRG+V0ftimR5THlxtG8AzQKY9QARAQABzUJLcmlzdGlhbiBG aXNrZXJzdHJhbmQgPGtyaXN0aWFuLmZpc2tlcnN0cmFuZEBzdW1wdHVvdXNjYXBpdGFsLmNv bT7CwX8EEwEIACkCGwMCHgECF4ACGQEFCwkIBwMEFQoJCAUWAgMBAAUCWiWhXAUJFMX2sgAK CRALf4tg4+364/YeEACSDL8stCAArMoqgXlTAdAKQFedJHyoS2QFVzuLx+k7CCGt0jVrNh3d HRQ92pF2QJScWKw76/LHvh6lMBPJwBEXRIvQNDNUb/zyBx96FipC+Dkd8Fxu3s4W+6YCqUBa lmC5XKB6uF/W5wanvpAn1K8bvUb3sq86RYTD0qZui4LMhvm8A0A1Na4+ZeGyfBFhcH5Oh+nh wkZjL7mbMTe25QCeCs4wQpYowia70EZLcQF4MboF9GzH5PIb0ipG5Jtfk9QfSlT+bnkRL1KR DR6rHo7iAYcMt4oJVU1qo1akSBe0MsMI37OdWDtNvUy2Svd2BCLZl49KZnErleC3R/axrtkL 2w1f0P4FoiuPq7mPeiUBhLaZLlc2fz490cEwjsgsY6GuiCWlbyjBMtp0OKM4VBqt5tdxBo/R X5Y6kNOGWpDHx8D+Dl8ToTDJuH2I0k2wfcUibYzWfwXpPpwZ5iXidwLYXbBQ2qqlyB7MP3Po z3zl+UulJyxIYGjg2sO4FmmRs0tThceaNIiDtP5uPLu77oCkAAsWuFSfa6Iwq9+PIQTqTFhH nJ1v/xrdqKWSYB6tm9Tkb0KkUKxFhc7QVyphvh473UEAQ78bQFWrGHqiejQtiiR3MOubwUyt YkNi+ef068rs27SPfRmBAvRw2EMZWhWyX/P2xM4PPp24reOn4ZuAAM7ATQRVZfyNAQgAvppy gWUI21WpA8IZZC+HXywKOqAIXgEQG8m62kVE048A8gjwk8vcmDKU0vlD6OGZ0capeWzWK5kN Gi8kl4ejvgULXKQCAV8ycEUWXmBSmzabhGruMY96Hy1OILc9tb3Wpg3wggW+PZjc5IuLIa1k 9AiDg6SQExDhC27x1EUKZkxkIG+EThSKHbCFB3t4tbwlI8Na4LUfjOxCILA2KVl7CXD/eUNr apJeSGJOtYEhgNFhuHoSG7Po9k6cy2eRrviq9X9cEW10Y3ocCypKvenuUjrN4bUd0IUsODLy cZ3aL+zEmIdhZsG7dQeFmFeJKK+XDgLIMNgr+EP9+89U/COZ5QARAQABwsFlBBgBCAAPAhsM BQJaJaF0BQkGw/ojAAoJEAt/i2Dj7frjgbYQAIYDkXvyczRVnEZloYQbHsqjGwekWXTkTk74 yYF5U+GoGGzbdFAmF2FhhWxlwIoPLtWoUXmdBknyqtAHCIlYrqPi0fsY6SdIU3qdDDESjR9g ixoPKOP5pFRC3KsPn0MNUXElbkdHvn0YSjuj0GdBi8YUa1XGRNW/O8PH4HP900OipflQhuEC 3yI5AYiq+Grd80RzJg8F108bn8YmoHapV5zZGfzp5L3pHCNOGsBlpTDrQA3XvlKti3AujaF8 8Nq3tj5kTsj73I30WOctGH3d9QWdySuK5RekAYvMSHU7M9oHtwV9dfVdRFbbuP4fhf+yF56S yu0k7jGe8e0d1xshwOMIXu8/3z4hYOpPfAvkl7n3QNHeqtT1KwRYqCCwKeK8pKZZlsBJ3D6X PuEZyTc/JIiZr8yALslTYubCCNyYQj7fByxM7neVPPaciNhbkGHImwfJGPBSEuP/UXciroUc rvwwGfY76+WvezaU+O3SLcrT9i+emo9uA14Syb51RWz8h/x55Yu2UpONhArhearvW+0kJBx/ YzG0Us7TLMNAiiQYlGibMmaBgRWW33vMXWT9H3FIN8L1NI/Qvy3/N0zDHawUOUvVMNtAzbWe xFtxXQ7zyxLUBHHhFdezpWyXmm71qEaOMdDLnTwLqv3ENHUfZzmCc2KtZjTX0qrgBQD08nPn Subject: Re: New article Message-ID: <07cdea73-ebd3-f75b-583b-ba94d028367e@sumptuouscapital.com> Date: Tue, 13 Nov 2018 21:30:12 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20181108204937.191f1f1b4fae0d599031b9b2@yakamo.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jb2ksiWwkBoPiEAChI8OURdgrdKMHzGPq" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jb2ksiWwkBoPiEAChI8OURdgrdKMHzGPq Content-Type: multipart/mixed; boundary="WstOZn3Duw0FRoYZiTKiGL4T7HztUdVAr"; protected-headers="v1" From: Kristian Fiskerstrand To: Mike Message-ID: <07cdea73-ebd3-f75b-583b-ba94d028367e@sumptuouscapital.com> Subject: Re: New article References: <20181108105609.a41b529c7814ed6b2be95270@yakamo.org> <5ad629bd-f2cc-f33f-15ee-60f3ea3b1d5b@sumptuouscapital.com> <20181108204937.191f1f1b4fae0d599031b9b2@yakamo.org> In-Reply-To: <20181108204937.191f1f1b4fae0d599031b9b2@yakamo.org> --WstOZn3Duw0FRoYZiTKiGL4T7HztUdVAr Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 11/8/18 8:49 PM, Mike wrote: > Here are the questions as follows: >=20 > 0. What is your position in the SKS Keyserver community and the > project its self? I develop and operate the sks-keyservers.net DNS round robin and am one of the maintainers of SKS itself. >=20 > 1. With all the recent PoC's that have appeared in the last 6 months > and yet no sign of fixes, have you got plans to fix and protect the > servers against them? The PoCs that have appeared over the past 6 months are not in any way novel; they are really using old techniques that have been discussed for quite a long time. Some is based on inherent features of a world-writeable add-only datastore, encapsulated in valid OpenPGP packets. So any change will naturally have to consider to what extent it should be filtered or not, and what would constitute censorship. Although the issues breaks visual aspects and some lower end servers, the keyservers are themselves operational for the default pools. Some larger changes are currently being discussed such as exporting (and for servers to only accept) a minimal set of data (in particular revocation certs, but not UID/UAT packets), along with others running Certificate Authorities (validating keyservers) as an alternative to the traditional keyserver network, while Web Key Directory is anyways a better way for the initial key discovery. So which way we'll go depends a bit on other developments. > 1b. If so what kind of deadline are you looking at? there is really no hurry, it is more important to get a proper solution than a rushed one. > 1c. If not why? see 1b >=20 > 2. Do you still believe that the servers are resiliant to goverments > or other malicious attackers now that someone with a raspberry pi or > any low power computer for example can bring down the entire > network. This needs elaboration for any proper response. The keyservers in the OpenPGP network are not and have never been designed to be a trusted party as the security model is based on object based security. >=20 > 3. Alot of people in the past through the mailing lists have pointed > out multiple issues that could cause the complete shutdown of the > network overnight, such as child porn or copyright material being > posted in the keys, why is it that these issue have never been > addressed? The same way they are not in blockchains or in BGP; It would change the entire nature of the network in ways that are not federatable between non-trusted peers. >=20 > 4. Admins and devs have taken these PoC's as an attack on the > servers, where in most organisations they would fix these ASAP or > even payout bug bountys. Do you think that if previous warnings about > this kind of problem had been listened to, PoC's of this type would > exist? Some will always want to do vandalism for one reason or the other, and there will always be attempts to break down any security related mechanis= m. >=20 > 5. Now that the infrastructure is no longer something that anyone can > trust, do you believe it should continue to run? 5b. if not what > should be done? 5c. if yes,why? with all the current problems It has never been intended to be trusted, so I need more clarification on what is intended here. Are you worried about DoS vector / unavailability of TPKs? >=20 > i will also send a draft of the article to you incase there are > inaccuracys or mistakes you think need corrected. >=20 > Thank you for taking time to answer these questions sure --=20 ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "Expect the best. Prepare for the worst. Capitalize on what comes." (Zig Ziglar) --WstOZn3Duw0FRoYZiTKiGL4T7HztUdVAr-- --jb2ksiWwkBoPiEAChI8OURdgrdKMHzGPq Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEtOrRIMf4mkrqRycHJQt6/tY3nYUFAlvrNFUACgkQJQt6/tY3 nYXN1Af+J9XEmTnhWIK9hsJviwEzE3OPcPOHWBGz6x8PcfwV1eF4W6PBz41yMJMH rdL13Mi8QpZh0ccope0UVEDri7BYJWmzuVSCSUtJ2kgd5FSYReRkjysze8Ai9G7C 4kUEB38y7UYRg/PwCgzErYmULhGKAfBg58PmYvYuG2LL323GmunXqufby3BKcUx2 AjqsQNTu2bYoW4MX/l+wI3YtApNAHBUsUgXL1tJMyXxzoSrklgayHRbrx1KUoFIt ISt0zXwvHXLtjXHmWiWgY1TU/g2Kia5HC/XLPP8ayMOp/MDnM9yKew9dw8qclM24 EPKaGLBLYGOSdOCI/fI6AK/6UmfexQ== =sc2n -----END PGP SIGNATURE----- --jb2ksiWwkBoPiEAChI8OURdgrdKMHzGPq--