[PGP-USERS] NAI US Keyserver?
Jacques Therrien
pgp-users@cryptorights.org
Wed, 20 Mar 2002 00:52:42 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Date: 2002-03-18 17:27 -0500
John Ridge Cook:
> To All-
>
> Something additional I have found.
>
> Keys created late last year (Oct. and November ) were uploaded to
> Certserve and MIT. They have not made it to several of the UK,NL
> or German servers I tried. Did NAI stop co-coordinating the
> servers sometime last year? Does that mean we have to go to each
> server, when its up, and see if the keys are current or should we
> just follow the S/MIME practice and send the keys along with a
> message.
John,
The keyserver area is a hit and miss thing at times. There is no easy
way of generally finding out which servers are likely to receive
which keys at any particular time. Most of this is done by dedicated
volunteers. No overall "map" is to be found.
Some say "It all eventually gets there", however in practice that is
no assurance. It may take months sometimes, and at times it never
gets there. However below are some examples of servers that can be
relied upon.
The NAI server has always been up and down regarding synchronization
with other servers. Some time ago it was an island for a while,
completely isolated and keys did not go anywhere. Later there seemed
to be more interchange.
I updated my keys with new signatures and sent them to the NAI
server, believing they were now tied with the world. However, while
looking at keyservers lately, I found that the updates to my keys did
not get to other servers. Some changes were done almost 2 years
ago...
______________
The best way out is to pick a place to put your keys, and tell
correspondents where to go to get them. So you only need to deal with
one. Some keyservers are networked and replicated, act as mirrors for
each other -- two suggestions below.
Since we seem to have lost the NAI US server (now it does not respond
at all), we must look to Europe where most servers are it appears.
The best list I have found gives some information about all the
aliases referring to the same physical server,
OpenPGP Keyservers:
http://www.hal-pc.org/~bunbytes/karlsson/pgp/keyservers.html#kserv
It was last updated in June 2001. I have used that to attempt to
unravel some of the keyserver stuff. I also started looking into the
GPG world where long lists of servers are being circulated. However,
those lists make it hard to get an overall picture. Many of the
servers in the above list are also mentioned there.
However the problem is this, keyservers change, some seem no longer
active and there is not much information as to what is connected to
what in terms of synchronization of data. The page mentioned above
does help in that regard.
A physical server can have several names (aliases). The above page
helps sort some of this out. A physical server having many names
really confuses the issue as well. Probably convenient from a network
management point of view, but very confusing for users.
In other words if a server stops responding, it may be that the name
we were using was dropped while the server itself may be continuing
to work via its other names (each different name is a pointer, alias,
to the same IP address of the server).
In the case of the NAI US server, it has stopped responding no matter
which of its names is used. As well, all the names are still there
and still point to its IP address [161.69.2.21], but there was no
response for a few days now.
______________
"wwwkeys.pgp.net" is one of the groups of servers in Europe. All have
HTTP: port 11371. These servers are synchronized as a group
(replicated).
They share similar names: wwwkeys.*.pgp.net
where "*" is the country code,
e.g. "wwwkeys.nl.pgp.net" Netherlands
Others are:
wwwkeys.de.pgp.net Germany -- alias: "blackhole.pca.dfn.de"
wwwkeys.cz.pgp.net Czech Republic
wwwkeys.ch.pgp.net Switzerland
wwwkeys.dk.pgp.net Denmark
etc.
The node in the Netherlands has several names all pointing to the
same server at [IP: 194.171.167.2]:
wwwkeys.nl.pgp.net
horowitz.surfnet.nl
keys.pgpi.net
pgp.surfnet.nl
At the present it also has a fifth alias "europe.keys.pgp.com" which
is used by NAI in Europe. It may be better not to use that name, NAI
may have it removed some day. Note that searching
"europe.keys.pgp.com" gives the same results as searching
"pgp.surfnet.nl", one does not get what was found at
"keyserver.pgp.com" in the US.
Aside from HTTP (11371), The Netherlands server also offers LDAP and
LDAPS (when I tried LDAPS there was no response at the time). Its
ports are LDAP: 11370 LDAPS: 11369
Of the names mentioned above, I personally prefer "pgp.surfnet.nl"
which is well known -- the server is hosted by the Surfnet.nl
University Network in the Netherlands.
______________
Aside from the NAI LDAP server that now seems to be gone, the
Netherlands server is the only other main LDAP server. There is
another one listed in the US, however there was no answer:
Alias raven.ncsa.uiuc.edu
Alias pgp.ncsa.uiuc.edu
IP Address 141.142.21.59
Protocol HTTP 80
Protocol LDAP 389
Location US
I believe I will give up LDAP servers, there are too few. Anyone one
know of other good ones?
______________
In the case of HTTP servers there is a lot of choice.
The OpenPGP Keyservers Web page mentions a round robin, where several
servers share requests and the user is connected to the first
available keyserver (the servers of course replicate each other).
Alias wwwkeys.au.pgp.net
Protocol HTTP 11371
Network PGPnet
Subservers:
blackhole.pca.dfn.de -- alias wwwkeys.de.pgp.net - Germany
horowitz.surfnet.nl -- alias pgp.surfet.nl -- Netherlands
pgp5.ai.mit.edu -- [IP: 18.43.0.48] MIT -- US
pks.pgp.dk -- alias wwwkeys.dk.pgp.net -- Denmark
ms.pgp.cz -- alias wwwkeys.cz.pgp.net -- Czech Republic
rex.citrin.ch -- alias wwwkeys.ch.pgp.net -- Switzerland
Using "wwwkeys.au.pgp.net" for the keyserver name automatically
connects the user to the first available of those 6 keyservers.
That is a very good choice for HTTP.
______________
In summary:
HTTP wwwkeys.au.pgp.net 11371
LDAP pgp.surfnet.nl 11370
Unless the NAI US server comes back, delete:
keyserver.pgp.com
certserver.pgp.com
keys.pgp.com
keys.nai.com
pgpkeys.mit.edu
______________
Any feedback would be appreciated. Anything way of line here?
Thanks
Cheers,
Jacques
PGP Personal Privacy 6.5.8 [0xE15C6C21] | Mac OS 9.1 | Eudora 5.1
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: Join PGP-Basics -> PGP-Basics-subscribe@yahoogroups.com
iQCVAwUBPJgiQgt/Z3/hXGwhAQF/HQP9FKdVrHdabcl82N5Bbud1UySEbX9xL0my
TEWq31eBfebrRerGhP7BwFFsbwLblJJdJVyEwgsofDPEIFxrLMSpc+n5TVVyrQDn
ob1GxQP7/7lsnkeLLnAvZrfSYtIaISoZtYzjdGIgDckIgyJigEHXTuoTbMrbqYMj
ZyhV10luF3U=
=sLqR
-----END PGP SIGNATURE-----
....................................................................
Unsubscribe: <mailto:pgp-users-listbot@cryptorights.org?body=unsubscribe>
Automated Help/Info: <mailto:pgp-users-listbot@cryptorights.org?body=help>
List Homepage: <http://cryptorights.org/pgp-users/>
List Admin (human): <mailto:pgp-users-admin-human@cryptorights.org>
Please do not send administrative commands to the list address! Thanks.