Discussion:
[Sks-devel] Deployment question about non-public server with oneway feed
Steffen Kaiser
2018-06-27 13:12:37 UTC
Permalink
Hi,

I have been asked to setup a local PGP key distribution, because some
attendees are concered about SPAM harvesting and other things. One
condition is to support WKD and a key server, because some clients use a
key server only.

Because most client software cannot query multiple key servers, I thought
about a proxy, that merges the results of one local and one SKS server
first, but found none.

So I guess my only option is to setup a SKS server and:

1) ask, if someone would feed me oneway with updates, and
2) synchronize local uploads between WKD and this server.

I installed a test machine and verified, that I can sync WKD and the
database of the SKS server both ways.

But: is this a valid setup? Would somebody recommend something different?

Is it possible to setup a oneway SKS update feed?

Kind regards,

- --
Steffen Kaiser
Hendrik Grewe
2018-06-27 14:12:58 UTC
Permalink
This Setup reminds me of a recently asked question on this ML:

http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html

hope this helps

Hendrik
Post by Steffen Kaiser
Hi,
I have been asked to setup a local PGP key distribution, because some
attendees are concered about SPAM harvesting and other things. One
condition is to support WKD and a key server, because some clients use a
key server only.
Because most client software cannot query multiple key servers, I
thought about a proxy, that merges the results of one local and one SKS
server first, but found none.
1) ask, if someone would feed me oneway with updates, and
2) synchronize local uploads between WKD and this server.
I installed a test machine and verified, that I can sync WKD and the
database of the SKS server both ways.
But: is this a valid setup? Would somebody recommend something different?
Is it possible to setup a oneway SKS update feed?
Kind regards,
-- Steffen Kaiser
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
--
_____________________________________________________________________
Hendrik Grewe ***@tu-dortmund.de
Public PGP-Key http://mypgpkey.b4ckbone.org
PGP-Fingerprint B8D6 0D8C F5A9 410A 8077 66AE CF08 65D2 0A09 6F7B

PGP-encrypted mails are welcome!
_____________________________________________________________________
Steffen Kaiser
2018-06-27 14:34:52 UTC
Permalink
Post by Hendrik Grewe
http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html
hope this helps
yes, http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00041.html
states that: "Unless recon is enabled in both directions, the key delta
will inevitably grow to the point that recon will fail."

That means, recon / gossip is not possible and updates via email is the
only option left.

I don't know if I like the idea to start from scratch regularily, also
mentioned in the thread. So I would pull the complete database once a
week, add the local changes and swap the servers.

Thanks,
Post by Hendrik Grewe
Post by Steffen Kaiser
Hi,
I have been asked to setup a local PGP key distribution, because some
attendees are concered about SPAM harvesting and other things. One
condition is to support WKD and a key server, because some clients use a
key server only.
Because most client software cannot query multiple key servers, I
thought about a proxy, that merges the results of one local and one SKS
server first, but found none.
1) ask, if someone would feed me oneway with updates, and
2) synchronize local uploads between WKD and this server.
I installed a test machine and verified, that I can sync WKD and the
database of the SKS server both ways.
But: is this a valid setup? Would somebody recommend something different?
Is it possible to setup a oneway SKS update feed?
Kind regards,
-- Steffen Kaiser
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
- --
Steffen Kaiser
Steffen Kaiser
2018-06-28 09:14:53 UTC
Permalink
Post by Steffen Kaiser
Post by Hendrik Grewe
http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html
hope this helps
yes, http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00041.html
states that: "Unless recon is enabled in both directions, the key delta
will inevitably grow to the point that recon will fail."
That means, recon / gossip is not possible and updates via email is the
only option left.
for the archive:

email updates don't work as well. I set up three systems with a SKS system
each:

+ system A and system B are configured to gossip with each other, thus,
simulating the normal outside SKS peers / SKS cloud,
+ system C is my local installation, that must not talk to the outside,&
+ system B sync's via mail to system C (oneway).

If I upload a key to system B, it is sync'ed to C. If I upload a key to
system A, it is sync'ed to B, but not forwared to C. So, mailsync is out
as well.

Thanks,
Post by Steffen Kaiser
Post by Hendrik Grewe
Post by Steffen Kaiser
Hi,
I have been asked to setup a local PGP key distribution, because some
attendees are concered about SPAM harvesting and other things. One
condition is to support WKD and a key server, because some clients use a
key server only.
Because most client software cannot query multiple key servers, I
thought about a proxy, that merges the results of one local and one SKS
server first, but found none.
1) ask, if someone would feed me oneway with updates, and
2) synchronize local uploads between WKD and this server.
I installed a test machine and verified, that I can sync WKD and the
database of the SKS server both ways.
But: is this a valid setup? Would somebody recommend something different?
Is it possible to setup a oneway SKS update feed?
Kind regards,
-- Steffen Kaiser
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
--
Steffen Kaiser
---------------Output of GPG------------------
gpg: Signature made Wed 27 Jun 2018 04:34:52 PM CEST using RSA key ID
9ABC764F
_______________________________________________
Sks-devel mailing list
https://lists.nongnu.org/mailman/listinfo/sks-devel
- --
Steffen Kaiser
Hendrik Visage
2018-06-28 09:21:23 UTC
Permalink
Post by Steffen Kaiser
Post by Steffen Kaiser
Post by Hendrik Grewe
http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00032.html
hope this helps
yes, http://lists.nongnu.org/archive/html/sks-devel/2018-06/msg00041.html
states that: "Unless recon is enabled in both directions, the key delta
will inevitably grow to the point that recon will fail."
That means, recon / gossip is not possible and updates via email is the
only option left.
email updates don't work as well. I set up three systems with a SKS system
+ system A and system B are configured to gossip with each other, thus,
simulating the normal outside SKS peers / SKS cloud,
+ system C is my local installation, that must not talk to the outside,&
+ system B sync's via mail to system C (oneway).
If I upload a key to system B, it is sync'ed to C. If I upload a key to
system A, it is sync'ed to B, but not forwared to C. So, mailsync is out
as well.
I also got the feeling that the mailsync was meant for when a key is *directly* uploaded to a server, it is emailed out, not when it receives keys via the recon/whisper partners (Else every one will sent out emails with each and every sync, ie. >100mails/days
)

I think the (wish list) option to have a 1-way sync setting, ie. Any and all keys you receive, you forward in that direction, no matter whether that server have the key or not, ie. no-recon/whisper, just: “I’ve received this key, here it is”

---
Hendrik Visage
HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions
+27-84-612-5345 or +27-21-945-1192
***@envisage.co.za

Loading...