Project

General

Profile

Bug #17090

Use keys.openpgp.org as the default key server

Added by blakim 5 months ago. Updated 5 months ago.

Status:
Duplicate
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

The SKS Keyservers are susceptible to signature flooding (references below)
A lot of PGP software (Enigmail, GPG Suite, Android OpenKeychain) have switched to keys.openpgp.org,
a newly developed key server, which mitigates this bug as well as other privacy concerns with the SKS system.

We should switch to it as well. Because Tails is configured to use an onion key server by default, it is still
using the SKS system, even though Enigmail itself has made switch.

OpenPGP.org provides an Onion Service, which can be used as a drop in replacement for the current one:

hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

References


Related issues

Related to Tails - Feature #16575: Use a more reliable OpenPGP key server by default Duplicate 03/19/2019
Duplicates Tails - Bug #12689: gpg --recv-key often hangs due to unreliable keyserver Resolved 06/13/2017

History

#1 Updated by sajolida 5 months ago

  • Related to Feature #16575: Use a more reliable OpenPGP key server by default added

#2 Updated by sajolida 5 months ago

  • Related to Bug #12689: gpg --recv-key often hangs due to unreliable keyserver added

#3 Updated by sajolida 5 months ago

Thanks for starting this discussion, I didn't dare starting it myself until now :)

I love the concept of keys.openpgp.org and the situation of the SKS pool is very concerning. I've also had continuous problems using the default keyserver configuration of Tails for years and had to overwrite it manually with --keyserver almost every time (see #16575).

My only concern with keys.openpgp.org right now is that it has very little keys right now: most of my contacts are not there yet.

On the other hand, I wonder which fraction of OpenPGP users rely on key servers at all.

At least from my own experience I have the impression that key servers are used a lot by the techie side of OpenPGP users (free software developers, security people, etc.) while the activist side of OpenPGP users don't use them a lot (for different reasons) and are more used to send their public keys in attachment on demand (Enigmail makes this super easy).

So switching to keys.openpgp.org might not be problematic for the less tech-savvy portion of our audience.

#4 Updated by intrigeri 5 months ago

  • Duplicates Bug #12689: gpg --recv-key often hangs due to unreliable keyserver added

#5 Updated by intrigeri 5 months ago

  • Related to deleted (Bug #12689: gpg --recv-key often hangs due to unreliable keyserver)

#6 Updated by intrigeri 5 months ago

  • Status changed from New to Duplicate

Thanks everyone! I've indeed mentioned this possibility on #12689#note-19, which we use to track the problem and the candidate solutions, so I'm closing this as a duplicate.

Also available in: Atom PDF