Daniel Kahn Gillmor
2017-09-06 22:16:38 UTC
(adding sks-devel to this thread since it discussies changing the
minimum bar for the pool)
pondering requiring the main pool to use this , which can be discussed
if we want to push ed25510/curve25519
SKS 1.1.6 was released over 1 year ago (on 2016-08-07). It is well
tested and widely deployed.
looking at https://sks-keyservers.net/status/ -- i'd say we can afford
to move to SKS 1.1.6 for the main pool.
We will (temporarily) go from 116 members of the main pool to 85 -- a
loss of about 25%. But we also provide an incentive for those members
to upgrade to 1.1.6, so i expect we'll make some of that back.
We only lose 3 members from the hkps pool, and 2 members from the
onionbalance, so i'd recommend making it a minimum there too.
About feasibility of upgrades: version-wise, people tend to treat debian
as the "old, out of date distro", and for debian:
* Debian stable (stretch) has SKS 1.1.6.
* people running debian oldstable (jessie) can install 1.1.6 from
jessie-backports.
People running keyservers on ubuntu LTS will need to find a PPA or some
other alternative (xenial offers only 1.1.5 in universe), but so it goes
:/ (I note that a previous attempt to get a backport into an ubuntu LTS
appears to have gone unresolved:
https://bugs.launchpad.net/trusty-backports/+bug/1435397 -- but perhaps
micahg can be convinced to update his ppa in a similar way at least)
I recommend requiring at least SKS 1.1.6 for membership in all the
pools.
--dkg
minimum bar for the pool)
including all of the RSA and DSA subkeys. But not the original
requested ed25519 key. It seems SKS 1.1.5 partly supports ed25519 keys
but for example does not return them.
No, 1.1.5 supports RFC6637 but not the ed25519/curve25519 variantsrequested ed25519 key. It seems SKS 1.1.5 partly supports ed25519 keys
but for example does not return them.
Hopefully the remaining SKS 1.1.5 installations will soon update to
1.1.6 which does not have this problem.
hkp://subset.pool.sks-keyservers.net requires SKS 1.1.6, I've been1.1.6 which does not have this problem.
pondering requiring the main pool to use this , which can be discussed
if we want to push ed25510/curve25519
tested and widely deployed.
looking at https://sks-keyservers.net/status/ -- i'd say we can afford
to move to SKS 1.1.6 for the main pool.
We will (temporarily) go from 116 members of the main pool to 85 -- a
loss of about 25%. But we also provide an incentive for those members
to upgrade to 1.1.6, so i expect we'll make some of that back.
We only lose 3 members from the hkps pool, and 2 members from the
onionbalance, so i'd recommend making it a minimum there too.
About feasibility of upgrades: version-wise, people tend to treat debian
as the "old, out of date distro", and for debian:
* Debian stable (stretch) has SKS 1.1.6.
* people running debian oldstable (jessie) can install 1.1.6 from
jessie-backports.
People running keyservers on ubuntu LTS will need to find a PPA or some
other alternative (xenial offers only 1.1.5 in universe), but so it goes
:/ (I note that a previous attempt to get a backport into an ubuntu LTS
appears to have gone unresolved:
https://bugs.launchpad.net/trusty-backports/+bug/1435397 -- but perhaps
micahg can be convinced to update his ppa in a similar way at least)
I recommend requiring at least SKS 1.1.6 for membership in all the
pools.
--dkg