Fedora has been part of an GPG sks service[1] for a number of years running off of keys.fedoraproject.org. Last year, there were a number of attacks made on the service which due to its 'write-only' nature makes it impossible to clean up [2] [3]. When the attacks came up, and it was clear it was not easily fixable, we moved keys to a proxy only mode. However this mode has not been too stable and caused other issues.
Fedora Infrastructure has tried to figure out ways to run a service replacement, but currently has not found one which we can with the resources we have available. We plan to turn off and decommission keys.fedoraproject.org on 2020-02-10.
We currently recommend people to use https://keys.openpgp.org/ which offers lookup capabilities.
[1] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home [2] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f [3] https://www.zdnet.com/article/openpgp-flooded-with-spam-by-unknown-hackers/
On Wed, Feb 5, 2020 at 11:57 AM Stephen John Smoogen smooge@gmail.com wrote:
Fedora has been part of an GPG sks service[1] for a number of years running off of keys.fedoraproject.org. Last year, there were a number of attacks made on the service which due to its 'write-only' nature makes it impossible to clean up [2] [3]. When the attacks came up, and it was clear it was not easily fixable, we moved keys to a proxy only mode. However this mode has not been too stable and caused other issues.
Fedora Infrastructure has tried to figure out ways to run a service replacement, but currently has not found one which we can with the resources we have available. We plan to turn off and decommission keys.fedoraproject.org on 2020-02-10.
We currently recommend people to use https://keys.openpgp.org/ which offers lookup capabilities.
[1] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home [2] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f [3] https://www.zdnet.com/article/openpgp-flooded-with-spam-by-unknown-hackers/
We may want to replace it with a simple Web Key Directory server: https://wiki.gnupg.org/WKD
That would make it easy to lookup keys based on @fedoraproject.org email addresses, and since keys can be replaced in the directory, it avoids the problems with SKS attacks.
On Wed, Feb 5, 2020 at 12:13 PM Neal Gompa ngompa13@gmail.com wrote:
On Wed, Feb 5, 2020 at 11:57 AM Stephen John Smoogen smooge@gmail.com wrote:
Fedora has been part of an GPG sks service[1] for a number of years running off of keys.fedoraproject.org. Last year, there were a number of attacks made on the service which due to its 'write-only' nature makes it impossible to clean up [2] [3]. When the attacks came up, and it was clear it was not easily fixable, we moved keys to a proxy only mode. However this mode has not been too stable and caused other issues.
Fedora Infrastructure has tried to figure out ways to run a service replacement, but currently has not found one which we can with the resources we have available. We plan to turn off and decommission keys.fedoraproject.org on 2020-02-10.
We currently recommend people to use https://keys.openpgp.org/ which offers lookup capabilities.
[1] https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home [2] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f [3] https://www.zdnet.com/article/openpgp-flooded-with-spam-by-unknown-hackers/
We may want to replace it with a simple Web Key Directory server: https://wiki.gnupg.org/WKD
That would make it easy to lookup keys based on @fedoraproject.org email addresses, and since keys can be replaced in the directory, it avoids the problems with SKS attacks.
I don't see that being valuable enough to actually invest the effort into doing it and maintaining it long term. If others are interested in hosting such a service, that would likely be welcome.
josh
infrastructure@lists.fedoraproject.org