You are here: Foswiki>Sysadmin Web>KeyServer (03 Oct 2006, CaSe)Edit Attach

Keyserver working group

Welcome on the keyserver working group page. This group was just created during the NewTechOrientation2005 meeting, cause previous keyserver was down since the Ahimsa Seizure. Now the keyserver is up and running, and this page is intended to help people using it and coordinate the group's effort to enhance gpg utilisation and security in the indymedia's network.

How To Use

  • With the web interface at keys.indymedia.org
  • With the command line gpg --keyserver keys.indymedia.org
  • In your gnupg.conf add hkp://keys.indymedia.org or hkp://keys.indymedia.org:80 to bypass firewalls

Help On Gnupg

There you'll find various help in different languages. Feel free to complete, the more people understanding Gnupg, the more we can build a strong network

Web Of Trust And Keysigning Protocol

For help on what is a Web Of Trust, look at wikipedia

Keyservers' team intend to help in building a fully trustable keyring for indymedia (if possible...). For that, indymedia need to build its own web of trust, that is to say keys must be verified (like during keysigning party or face to face meetings), then signed and eventually send to the keyserver. This way we can build a strong network.

Please be aware that sending your keyring (i.e the keys you signed) to the keyserver can reveal to the public (and so on the police) with who you exchange sensitives informations. So you have to consider if it is really necessary to publish these kind of informations. Also, you should never publish a key you've signed unless the owner has given you his/her agreement.

The keyserver itself is part of the task, but it can't be done without adopting a keysigning protocol used during parties or "real life" meetings and learning people to have a sane utilisation of their keys (for that see the Help chapter). We encourage each person that owns and uses a gpg key to think to sign and get his/her key signed each time he/she'll met an indymedia's member. The more we can verify the keys, the more we can secure our communications.

There was already a PgpKeysigning, mostly based on the GPG kysigning party HOWTO (en). This is a good example of how a keysigning party have to be done to be fully trustable (remember you should not bring your computer, only a piece of paper). You can read also how debian team proceed. See also the Web Of Trust chapter of ImcSecurity. Reading those docs and proceed like that, you will be able to enforce the opacity of your communications.

Synchronisation

A consensus has been found within people reacting on keyservers' list that we could sync our server with other leftists' one, as it could help enhancing security in our exchanges. You can find the minutes of this searching in the mailing list archives. For any questions/objections/proposals, send a mail on the list.

Backups

Indymedia's Keyserver has a simple but efficient and paranoid pulling backup process (i.e a croned simple bash script ;]). The backups are made daily and encrypted for each places that host them. There are currently some places where they are hosted, but we are searching for one or two more servers that could help on it. They can easily be hosted everywhere, it only require to have wget installed and a public gpg key. If you wanna help, just send a mail to pgp-keyserver-admin@lists.indymedia.org or keyservers@lists.indymedia.org.

Tasks List

  • Find another place to host a second keyserver, more places to host backups too
  • Concatenate all available doc on Gnupg and cryptography in various languages (ehance Sysadmin.GnuPG* help pages that are quite simple)
  • Build up or adopt a keysigning protocol, then spread it
  • ...

Hostings Needs

Findind a second hosting place and one or two place to host backup (see Backup chapter) would be to secure keyserver

  • Hostings Recquirements:
    • GNU/Linux, *BSD (debian is better as it distributes onak, but can be easily installed on different Unixes)
    • Apache/DNS
    • MTA/Procmail
    • Perl
    • shell access, sudo if possible (especially if not running by Debian) but not necessary, with some explanations, it can be installed easily and quickly.

-- MatZe - 01 Nov 2004

-- SimonShine - 09 Dec 2004 (Updated SKS info)

-- IntRigeri - 27 Feb 2005 : refactored page

-- BertAgaz - 28 Feb 2005 : Task List

-- BertAgaz - 05 Mar 2005 : Task List tweaks, hosting needs, updated keyservers's projects

-- BertAgaz - 12 Apr 2005 : updated page
Edit  | Attach | Print version | History: r22 < r21 < r20 < r19 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r22 - 03 Oct 2006, CaSe
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback