[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Launching a new keyserver on!

From: Valentin Sundermann
Subject: Re: [Sks-devel] Launching a new keyserver on!
Date: Tue, 18 Jun 2019 23:44:49 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1

> Anyone got some good idea on how to continuously sync certificate updates from
> the SKS pool?
> We imported the sks dump to, specifically the non-identity
> parts.  We did this mostly to ensure that users of will
> reliably receive revocations that were uploaded to SKS. However, so far we 
> don't
> have a very good concept on how to keep that information up to date.

I think the best way forward would be to implement SKS Recon, this way
the SKS instances would not fall behind the hagrid ones (what's good for
the general network I guess).

I'd suggest to provide an in/out sync interface where something like an
"sks recon adapter" could be plugged in. Such an adapter would strip
away all identity information in- and outwards.

And somewhere in the future hagrid keyservers could synchronize the
approved identity information (or add a pointer for an authoritative
keyserver, or add signed attestations, etc). This would be preferably a
well-thought future-proof implementation-unspecific (you name it)
protocol (might also be that SKS Recon is already this protocol, not sure).

Anyway, I'm really behind adding synchronization to hagrid to split up
the power between multiple instances. I'd like to prevent having a
single complete keyserver at all costs :)

Curious for other opinions.

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]