[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Launching a new keyserver on keys.openpgp.org!
|
From: |
Valentin Sundermann |
|
Subject: |
Re: [Sks-devel] Launching a new keyserver on keys.openpgp.org! |
|
Date: |
Tue, 18 Jun 2019 23:44:49 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 |
> Anyone got some good idea on how to continuously sync certificate updates from
> the SKS pool?
>
> We imported the sks dump to keys.openpgp.org, specifically the non-identity
> parts. We did this mostly to ensure that users of keys.openpgp.org will
> reliably receive revocations that were uploaded to SKS. However, so far we
> don't
> have a very good concept on how to keep that information up to date.
I think the best way forward would be to implement SKS Recon, this way
the SKS instances would not fall behind the hagrid ones (what's good for
the general network I guess).
I'd suggest to provide an in/out sync interface where something like an
"sks recon adapter" could be plugged in. Such an adapter would strip
away all identity information in- and outwards.
And somewhere in the future hagrid keyservers could synchronize the
approved identity information (or add a pointer for an authoritative
keyserver, or add signed attestations, etc). This would be preferably a
well-thought future-proof implementation-unspecific (you name it)
protocol (might also be that SKS Recon is already this protocol, not sure).
Anyway, I'm really behind adding synchronization to hagrid to split up
the power between multiple instances. I'd like to prevent having a
single complete keyserver at all costs :)
Curious for other opinions.
Valentin
signature.asc
Description: OpenPGP digital signature