1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 11 Jul 2019 21:52:11 -0400
Subject: Use hkps://keys.openpgp.org as the default keyserver
As of 2.2.17, GnuPG will refuse to accept any third-party
certifications from OpenPGP certificates pulled from the keyserver
network.
The SKS keyserver network currently has at least a dozen popular
certificates which are flooded with enough unusable third-party
certifications that they cannot be retrieved in any reasonable amount
of time.
The hkps://keys.openpgp.org keyserver installation offers HKPS,
performs cryptographic validation, and by policy does not distribute
third-party certifications anyway.
It is not distributed or federated yet, unfortunately, but it is
functional, which is more than can be said for the dying SKS pool.
And given that GnuPG is going to reject all the third-party
certifications anyway, there is no clear "web of trust" rationale for
relying on the SKS pool.
One sticking point is that keys.openpgp.org does not distribute user
IDs unless the user has proven control of the associated e-mail
address. This means that on standard upstream GnuPG, retrieving
revocations or subkey updates of those certificates will fail, because
upstream GnuPG ignores any incoming certificate without a user ID,
even if it knows a user ID in the local copy of the certificate (see
https://dev.gnupg.org/T4393).
However, we have three patches in
debian/patches/import-merge-without-userid/ that together fix that
bug.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
configure.ac | 2 +-
doc/dirmngr.texi | 9 +++++++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1ea8b7a..a3ff5c4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1828,7 +1828,7 @@ AC_DEFINE_UNQUOTED(SCDAEMON_SOCK_NAME, "S.scdaemon",
AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr",
[The name of the dirmngr socket])
AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER,
- "hkps://keyserver.ubuntu.com",
+ "hkps://keys.openpgp.org",
[The default keyserver for dirmngr to use, if none is explicitly given])
AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 39c0c45..4ac6174 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -339,8 +339,13 @@ whether Tor is locally running or not. The check for a running Tor is
done for each new connection.
If no keyserver is explicitly configured, dirmngr will use the
-built-in default of @code{https://keyserver.ubuntu.com}. To avoid the
-use of a default keyserver the value @code{none} can be used.
+built-in default of @code{https://keys.openpgp.org}.
+
+Note that the above default is a Debian-specific choice. Upstream
+GnuPG prefers @code{hkps://keyserver.ubuntu.com}. See
+/usr/share/doc/gpgconf/NEWS.Debian.gz for more details.
+
+To avoid the use of a default keyserver the value @code{none} can be used.
Windows users with a keyserver running on their Active Directory
may use the short form @code{ldap:///} for @var{name} to access this directory.
|