[PGP-USERS] NAI US Keyserver?

Jacques Therrien pgp-users@cryptorights.org
Wed, 20 Mar 2002 00:52:42 -0500


Date:  2002-03-18  17:27 -0500
John Ridge Cook:

> To All-
> Something additional I have found.
> Keys created late last year (Oct. and November ) were uploaded to
> Certserve and MIT.  They have not made it to several of the UK,NL
> or German servers I tried.  Did NAI stop co-coordinating the
> servers sometime last year?  Does that mean we have to go to each
> server, when its up,  and see if the keys are current or should we
> just follow the S/MIME practice and send the keys along with a
> message.


The keyserver area is a hit and miss thing at times. There is no easy
way of generally finding out which servers are likely to receive
which keys at any particular time. Most of this is done by dedicated
volunteers. No overall "map" is to be found.

Some say "It all eventually gets there", however in practice that is
no assurance. It may take months sometimes, and at times it never
gets there. However below are some examples of servers that can be
relied upon.

The NAI server has always been up and down regarding synchronization
with other servers. Some time ago it was an island for a while,
completely isolated and keys did not go anywhere. Later there seemed
to be more interchange.

I updated my keys with new signatures and sent them to the NAI
server, believing they were now tied with the world. However, while
looking at keyservers lately, I found that the updates to my keys did
not get to other servers. Some changes were done almost 2 years

The best way out is to pick a place to put your keys, and tell
correspondents where to go to get them. So you only need to deal with
one. Some keyservers are networked and replicated, act as mirrors for
each other -- two suggestions below.

Since we seem to have lost the NAI US server (now it does not respond
at all), we must look to Europe where most servers are it appears.

The best list I have found gives some information about all the
aliases referring to the same physical server,

OpenPGP Keyservers:

It was last updated in June 2001. I have used that to attempt to
unravel some of the keyserver stuff. I also started looking into the
GPG world where long lists of servers are being circulated. However,
those lists make it hard to get an overall picture. Many of the
servers in the above list are also mentioned there.

However the problem is this, keyservers change, some seem no longer
active and there is not much information as to what is connected to
what in terms of synchronization of data. The page mentioned above
does help in that regard.

A physical server can have several names (aliases). The above page
helps sort some of this out. A physical server having many names
really confuses the issue as well. Probably convenient from a network
management point of view, but very confusing for users.

In other words if a server stops responding, it may be that the name
we were using was dropped while the server itself may be continuing
to work via its other names (each different name is a pointer, alias,
to the same IP address of the server).

In the case of the NAI US server, it has stopped responding no matter
which of its names is used. As well, all the names are still there
and still point to its IP address [], but there was no
response for a few days now.

"wwwkeys.pgp.net" is one of the groups of servers in Europe. All have
HTTP: port 11371. These servers are synchronized as a group

They share similar names:   wwwkeys.*.pgp.net
  where "*" is the country code,

  e.g. "wwwkeys.nl.pgp.net"   Netherlands

Others are:
  wwwkeys.de.pgp.net   Germany -- alias: "blackhole.pca.dfn.de"
  wwwkeys.cz.pgp.net   Czech Republic
  wwwkeys.ch.pgp.net   Switzerland
  wwwkeys.dk.pgp.net   Denmark

The node in the Netherlands has several names all pointing to the
same server at [IP:]:

At the present it also has a fifth alias "europe.keys.pgp.com" which
is used by NAI in Europe. It may be better not to use that name, NAI
may have it removed some day. Note that searching
"europe.keys.pgp.com" gives the same results as searching
"pgp.surfnet.nl", one does not get what was found at
"keyserver.pgp.com" in the US.

Aside from HTTP (11371), The Netherlands server also offers LDAP and
LDAPS (when I tried LDAPS there was no response at the time). Its
ports are LDAP: 11370  LDAPS: 11369

Of the names mentioned above, I personally prefer "pgp.surfnet.nl"
which is well known -- the server is hosted by the Surfnet.nl
University Network in the Netherlands.

Aside from the NAI LDAP server that now seems to be gone, the
Netherlands server is the only other main LDAP server. There is
another one listed in the US, however there was no answer:

   Alias           raven.ncsa.uiuc.edu
   Alias           pgp.ncsa.uiuc.edu
   IP Address
   Protocol       HTTP 80
   Protocol       LDAP 389
   Location       US

I believe I will give up LDAP servers, there are too few. Anyone one
know of other good ones?

In the case of HTTP servers there is a lot of choice.

The OpenPGP Keyservers Web page mentions a round robin, where several
servers share requests and the user is connected to the first
available keyserver (the servers of course replicate each other).

Alias             wwwkeys.au.pgp.net
Protocol        HTTP 11371
Network	      PGPnet

   blackhole.pca.dfn.de  -- alias wwwkeys.de.pgp.net - Germany
   horowitz.surfnet.nl -- alias  pgp.surfet.nl     -- Netherlands
   pgp5.ai.mit.edu  -- [IP:] MIT   --  US
   pks.pgp.dk  -- alias  wwwkeys.dk.pgp.net   --  Denmark
   ms.pgp.cz  -- alias wwwkeys.cz.pgp.net      --  Czech Republic
   rex.citrin.ch  -- alias  wwwkeys.ch.pgp.net  --  Switzerland

Using "wwwkeys.au.pgp.net" for the keyserver name automatically
connects the user to the first available of those 6 keyservers.

That is a very good choice for HTTP.

In summary:

  HTTP   wwwkeys.au.pgp.net   11371
  LDAP   pgp.surfnet.nl             11370

Unless the NAI US server comes back, delete:

Any feedback would be appreciated. Anything way of line here?



PGP Personal Privacy 6.5.8 [0xE15C6C21] | Mac OS 9.1 | Eudora 5.1

Version: PGP Personal Privacy 6.5.8
Comment: Join PGP-Basics -> PGP-Basics-subscribe@yahoogroups.com


Unsubscribe: <mailto:pgp-users-listbot@cryptorights.org?body=unsubscribe>
Automated Help/Info: <mailto:pgp-users-listbot@cryptorights.org?body=help>
List Homepage: <http://cryptorights.org/pgp-users/>
List Admin (human): <mailto:pgp-users-admin-human@cryptorights.org>
Please do not send administrative commands to the list address!  Thanks.