Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

keyserver scheme http broken?

  

 
GnuPG devel RSS feed   Index | Next | Previous | View Threaded


bernhard at intevation

Nov 12, 2009, 9:24 AM

Post #1 of 6 (756 views)
Permalink
keyserver scheme http broken?
I might miss something here, but for me on gnupg 2.0.13 (and 2.0.11)
retrieving keys via the "http://" scheme seems to be broken.

(Also it seem that --search-keys does not work with "http", although a lot of
people claim that "http" is just "hkp" over port 80. )
Any ideas?

gpg2 --keyserver hkp://pgp.surfnet.nl --keyserver-options
verbose,verbose,verbose,debug --recv-keys DA4A1116
gpg: fordere Schlüssel DA4A1116 von hkp-Server pgp.surfnet.nl an
gpgkeys: curl version = libcurl/7.15.5 GnuTLS/1.4.4 zlib/1.2.3 libidn/0.6.5
Host: pgp.surfnet.nl
Command: GET
gpgkeys: HTTP URL is
`http://pgp.surfnet.nl:11371/pks/lookup?op=get&options=mr&search=0xDA4A1116'
* About to connect() to pgp.surfnet.nl port 11371
[..]
-> works!

gpg2 --keyserver http://http-keys.gnupg.net --keyserver-options
verbose,verbose,verbose,debug --recv-keys DA4A1116
gpg: fordere Schlüssel DA4A1116 von http-Server http-keys.gnupg.net an
gpgkeys: curl version = libcurl/7.15.5 GnuTLS/1.4.4 zlib/1.2.3 libidn/0.6.5
Scheme: http
Host: http-keys.gnupg.net
Path: /
Command: GET
* About to connect() to http-keys.gnupg.net port 80
* Trying 194.171.167.98... * connected
* Connected to http-keys.gnupg.net (194.171.167.98) port 80
> GET / HTTP/1.1
Host: http-keys.gnupg.net
Accept: */*
Pragma: no-cache
Cache-Control: no-cache

< HTTP/1.0 200 OK
< Server: sks_www/1.1.0
< Content-type: text/html; charset=UTF-8
* Closing connection #0
gpgkeys: no key data found for http://http-keys.gnupg.net/
gpg: Keine gültigen OpenPGP-Daten gefunden.
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 0
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks
bernhard [at] plot:~$ gpg2 --keyserver http://pgp.surfnet.nl --keyserver-options
verbose,verbose,verbose,debug --recv-keys DA4A1116
gpg: fordere Schlüssel DA4A1116 von http-Server pgp.surfnet.nl an
gpgkeys: curl version = libcurl/7.15.5 GnuTLS/1.4.4 zlib/1.2.3 libidn/0.6.5
Scheme: http
Host: pgp.surfnet.nl
Path: /
Command: GET
* About to connect() to pgp.surfnet.nl port 80
* Trying 194.171.167.98... * connected
* Connected to pgp.surfnet.nl (194.171.167.98) port 80
> GET / HTTP/1.1
Host: pgp.surfnet.nl
Accept: */*
Pragma: no-cache
Cache-Control: no-cache

< HTTP/1.0 200 OK
< Server: sks_www/1.1.0
< Content-type: text/html; charset=UTF-8
* Closing connection #0
gpgkeys: no key data found for http://pgp.surfnet.nl/
gpg: Keine gültigen OpenPGP-Daten gefunden.
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 0
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks

(I've also tried this with the other http-key servers from
http://keystats.gnupg.net/)

Best,
Bernhard
--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Attachments: signature.asc (0.19 KB)


dshaw at jabberwocky

Nov 12, 2009, 10:17 AM

Post #2 of 6 (727 views)
Permalink
Re: keyserver scheme http broken? [In reply to]
On Nov 12, 2009, at 12:24 PM, Bernhard Reiter wrote:

> I might miss something here, but for me on gnupg 2.0.13 (and 2.0.11)
> retrieving keys via the "http://" scheme seems to be broken.
>
> (Also it seem that --search-keys does not work with "http", although
> a lot of
> people claim that "http" is just "hkp" over port 80. )

That is not correct.

hkp is basically a convention for a keyserver that runs over HTTP on a
different port (11371). If you want hkp on port 80, you'd do "hkp://
whatever.example.com:80". The hkp protocol specifies how keys are to
be searched for a retrieved, using HTTP as the transport.

That's hkp. There isn't really a *http* keyserver (in the sense of
being a database of many keys that can be queried). If you specify a
http URL with the --keyserver command, you're really describing a the
path to a particular file to fetch. It's not really indended for that
use, and you can't --search-keys or --recv-keys a web server.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


bernhard at intevation

Nov 12, 2009, 12:19 PM

Post #3 of 6 (732 views)
Permalink
Re: keyserver scheme http broken? [In reply to]
David,

On Thursday 12 November 2009, David Shaw wrote:
> On Nov 12, 2009, at 12:24 PM, Bernhard Reiter wrote:
> > I might miss something here, but for me on gnupg 2.0.13 (and 2.0.11)
> > retrieving keys via the "http://" scheme seems to be broken.
> >
> > (Also it seem that --search-keys does not work with "http", although
> > a lot of
> > people claim that "http" is just "hkp" over port 80. )
>
> That is not correct.
>
> hkp is basically a convention for a keyserver that runs over HTTP on a
> different port (11371). If you want hkp on port 80, you'd do "hkp://
> whatever.example.com:80". The hkp protocol specifies how keys are to
> be searched for a retrieved, using HTTP as the transport.
>
> That's hkp.

thanks for the clarification, as I've hinted upon, I believe this is
underdocumented somehow.

> There isn't really a *http* keyserver (in the sense of
> being a database of many keys that can be queried). If you specify a
> http URL with the --keyserver command, you're really describing a the
> path to a particular file to fetch. It's not really indended for that
> use, and you can't --search-keys or --recv-keys a web server.

http://gpg4win.de/doc/gpg4win-compendium-de_21.html at least is confusing
on this part (and I think Werner read over it as well). It makes the reader
believer that http://keyserver.pramberger.at and http://gpg-keyserver.de
could be viable "keyserver" for use with --keyserver.
We (as in the Gpg4win Team, especially Emanuel) must change that.

http://keystats.gnupg.net/ did not put that idea to rest, neither did
the --keyserver section of gpg.texi. Na, now I know. The different port can be
a problem for enterprise firewalls, though.

Best,
Bernhard

--
Managing Director - Owner: www.intevation.net (Free Software Company)
Deputy Germany Coordinator: fsfeurope.org. Coordinator: Kolab-Konsortium.com.
Intevation GmbH, Neuer Graben 17, Osnabrück, DE; AG Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Attachments: signature.asc (0.19 KB)


dshaw at jabberwocky

Nov 12, 2009, 8:12 PM

Post #4 of 6 (720 views)
Permalink
Re: keyserver scheme http broken? [In reply to]
On Nov 12, 2009, at 3:19 PM, Bernhard Reiter wrote:

>> There isn't really a *http* keyserver (in the sense of
>> being a database of many keys that can be queried). If you specify a
>> http URL with the --keyserver command, you're really describing a the
>> path to a particular file to fetch. It's not really indended for
>> that
>> use, and you can't --search-keys or --recv-keys a web server.
>
> http://gpg4win.de/doc/gpg4win-compendium-de_21.html at least is
> confusing
> on this part (and I think Werner read over it as well). It makes the
> reader
> believer that http://keyserver.pramberger.at and http://gpg-keyserver.de
> could be viable "keyserver" for use with --keyserver.
> We (as in the Gpg4win Team, especially Emanuel) must change that.

The rule of thumb is that things that you can use with --keyserver are
protocols where you can tell it which key you want (like hkp, ldap, or
mailto) http can't do this, as there is no standard way to specify
the key ID (the path to the key could be different on my web server
compared to yours).

It also doesn't help that the PGP product calls them "http keyservers" !

> http://keystats.gnupg.net/ did not put that idea to rest, neither did
> the --keyserver section of gpg.texi. Na, now I know. The different
> port can be
> a problem for enterprise firewalls, though.

Some keyservers run hkp over port 80 to deal with firewalls (so it's
hkp://keyserver.example.com:80 in those cases). I'm not sure why
11371 was chosen instead of 80. It was set a long time ago. It might
be something as simple as they needed a port >1024 so non-root could
bind it, but I don't really know.

Incidentally, newer (1.4.10 + 2.0.13) versions of GPG can use DNS
service discovery to detect the port number for hkp automatically.

I'll take a look at gpg.texi and see if I can make this a bit clearer.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


bernhard at intevation

Nov 13, 2009, 12:40 AM

Post #5 of 6 (718 views)
Permalink
Re: keyserver scheme http broken? [In reply to]
Am Freitag, 13. November 2009 05:12:30 schrieb David Shaw:
> Some keyservers run hkp over port 80 to deal with firewalls (so it's  
> hkp://keyserver.example.com:80 in those cases).  

Is there a list of those, similiar to keys.gnupg.net or http-keys.gnupg.net
from http://keystats.gnupg.net/?

> I'll take a look at gpg.texi and see if I can make this a bit clearer.

That would be wonderful.
If you are at it: I belive the "scheme" part of the example in the --keyserver
option should marked as optional. It should be said which the default is then
(probably hkp). I've noticed because "--keyserver keys.gnupg.net" just works
and it probably uses hkp. :)

Bernhard


--
Managing Director - Owner: www.intevation.net (Free Software Company)
Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com.
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Attachments: signature.asc (0.19 KB)


John at Mozilla-Enigmail

Nov 13, 2009, 8:06 AM

Post #6 of 6 (713 views)
Permalink
Re: keyserver scheme http broken? [In reply to]
Bernhard Reiter wrote:
> Am Freitag, 13. November 2009 05:12:30 schrieb David Shaw:
>> Some keyservers run hkp over port 80 to deal with firewalls (so it's
>> hkp://keyserver.example.com:80 in those cases).
>
> Is there a list of those, similiar to keys.gnupg.net or http-keys.gnupg.net
> from http://keystats.gnupg.net/?

See Peter Pramberger's SKS Status page,
http://www.pramberger.at/peter/services/keyserver/network/ .

Port 80 support is shown for both IPv4 and IPv6.

--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys [at] gingerbear?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
Attachments: signature.asc (0.66 KB)

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.