[Pkg-gnupg-maint] Bug#519333: gnupg: Please include support for encrypted keyserver queries [PATCH]

Micah Anderson micah at debian.org
Wed Mar 11 22:11:42 UTC 2009 

Package: gnupg
Version: 1.4.9-5
Severity: wishlist
Tags: patch

Hello,

There is a move towards providing keyserver queries over an encrypted
transport for the purposes of stopping the leakage of key query
information that could be used for transactional surveillance
purposes. There are keyservers now in the global pool that are setup
to provide encrypted transport, with more on their way.

The SKS keyserver develoopers are actively discussing how to add TLS
wrapped keyserver queries natively in the keyserver code[0]. Until
then people are setting up front-end SSL proxies, using things like
nginx.  In fact, along with some other folks, I am running one which
supports this in the SKS pool[1] zimmerman.mayfirst.org.
                                                                                                                                          
The gnupg developers have introduced a patch to the upstream stable
branch of gnupg 1.4[2] which provides a simple mechanism for
performing secure hkps queries to keyservers, and according to the
original author, this will be in gpg2 in the next round of patch
integration[3]. The PGP developers are also implementing this in their
code. Also, the IETF seem to have also come to a similar position
recently[4].

It would be very much appreciated if debian adopted the attached patch
so more people could have convenient access to this feature. When
upstream's STABLE-1.4 branch is released, then it could be simply
dropped. I've built and tested this and it works flawlessly, its a
relatively small patch and upstream has already adopted it, so it
seems like a win all around.

Micah


0. thread starts at: http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00025.html
1. https://zimmerman.mayfirst.org or if you have installed the patch: hkps://zimmerman.mayfirst.org
2. http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
3. http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00036.html
4. http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gnupg depends on:
ii  gpgv                   1.4.9-4           GNU privacy guard - signature veri
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.9-4             GNU C Library: Shared libraries
ii  libcurl3-gnutls        7.18.2-8          Multi-protocol file transfer libra
ii  libreadline5           5.2-4             GNU readline and history libraries
ii  libusb-0.1-4           2:0.1.12-13       userspace USB programming library
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

Versions of packages gnupg recommends:
ii  libldap-2.4-2                 2.4.15-1   OpenLDAP libraries

Versions of packages gnupg suggests:
pn  gnupg-doc              <none>            (no description available)
ii  imagemagick            7:6.3.7.9.dfsg1-3 image manipulation programs
ii  libpcsclite1           1.5.2-1           Middleware to access a smart card 

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg_hks.diff
Type: text/x-diff
Size: 11921 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20090311/0a27cd2d/attachment.diff

More information about the Pkg-gnupg-maint mailing list