hey folks-- I'm going to be working on monkeysphere-related projects on saturday, the 18th of December at the usual spot. You're welcome to join me. Feel free to propose agenda items, bugs in need of triage, etc. --dkg
hey monkeys-- if hkp is the http keyserver protocol, and hkps is hkp over tls, what do you think hkpms is? hkpms is the name i've decided to use for a new gpg extension that lets you verify your keyserver's own TLS key through the OpenPGP web of trust. (this is known as https://labs.riseup.net/code/issues/2016) Currently, the implementation is only available in my own repo [0], but i'd like feedback and testing. i think this is a sufficiently-tasty new feature to warrant a new release of msva-perl. To use it: 0) build and install a .deb from my debian branch; you might need to pull in a few more recommended packages, and please update to libio-socket-ssl-perl 1.35 or later (currently only in unstable) 1) fetch mf/pl keyserver's key from the generic pool (not-encrypted): gpg --keyserver pool.sks-keyservers.net \ --search https://keys.mayfirst.org 1) edit your ~/.gnupg/gpg.conf so that the only keyserver line is: keyserver hkpms://keys.mayfirst.org 2) remove or comment out any keyserver-options that mention ca-cert-file; these are no longer necessary, because you will not(Continue reading)
On 12/07/2010 10:09 PM, Daniel Kahn Gillmor wrote: > 3) go about your business! you should be able to use gpg --search, > gpg --send, gpg --recv, and gpg --refresh with no trouble. oh, and by the way, keys.mayfirst.org has an OpenPGP key with the following fingerprint: 0 dkg <at> pip:~$ gpg --fingerprint =https://keys.mayfirst.org pub 2048R/E95707CF 2010-01-09 [expires: 2011-12-08] Key fingerprint = CC2C 27AF 479E 6DAA BA5F A7E0 728F FE72 E957 07CF uid [ full ] https://zimmermann.mayfirst.org uid [ full ] https://zimmerman.mayfirst.org uid [ full ] https://keys.mayfirst.org 0 dkg <at> pip:~$ If you are able to verify this to your satisfaction, please certify the new key ID and publish your certifications to help other people properly identify the server. --dkg
ah clever. I wonder, though, if there is some possibility of gpg getting into an infinite loop of calling itself if this hkpms option is combined with some kind of option which automatically downloads keys (of which I believe gpg has at least one). mlc On 12/07/2010 10:09 PM, Daniel Kahn Gillmor wrote: > hey monkeys-- > > if hkp is the http keyserver protocol, and hkps is hkp over tls, what do > you think hkpms is? > > hkpms is the name i've decided to use for a new gpg extension that lets > you verify your keyserver's own TLS key through the OpenPGP web of > trust. (this is known as https://labs.riseup.net/code/issues/2016) > > Currently, the implementation is only available in my own repo [0], but > i'd like feedback and testing. i think this is a sufficiently-tasty new > feature to warrant a new release of msva-perl. > > To use it: > > 0) build and install a .deb from my debian branch; you might need to > pull in a few more recommended packages, and please update to > libio-socket-ssl-perl 1.35 or later (currently only in unstable) > > 1) fetch mf/pl keyserver's key from the generic pool (not-encrypted):(Continue reading)
On 12/07/2010 10:33 PM, mike castleman wrote: > ah clever. :) > I wonder, though, if there is some possibility of gpg getting into an > infinite loop of calling itself if this hkpms option is combined with > some kind of option which automatically downloads keys (of which I > believe gpg has at least one). just to rule out the obvious: hkpms talks to the msva to validate the keyserver's key. it explicitly instructs the msva to *not* attempt to call out to keyservers for this particular resolution, which is respected in the current msva-perl implementation [0]. so we're not causing a loop directly in the monkeysphere. As for a loop caused by an interaction with an unusual gpg option, I think the feature you're thinking of is: --keyserver-options auto-key-retrieve but this does not trigger any additional lookups when invoking either --list-keys or --check-sigs, which are the underlying gpg invocations used by the agent to verify the validity of any given key. I have tested this :) If you notice gpg or the msva getting into a loop, please please please report it!(Continue reading)
Monkeysphere-
I am in the process of writing a security course for an IT training company. I would like to include Monkeysphere in my discussions of PKI, OpenSSL and PGP. I am familiar with PKI, but am new to your project having just learned about it at HOPE.
Would any of you be willing to answer my questions over the next several weeks? I intend to cover the sphere both in the text as well as include it in a PGP lab.
Thanks and warm Regards,
Michelle
Michelle E. Ellis
michelle <at> cert-tools.com
www.cert-tools.com
410-227-1710
On Tue, 07 Dec 2010 22:09:24 -0500, Daniel Kahn Gillmor <dkg <at> fifthhorseman.net> wrote: > if hkp is the http keyserver protocol, and hkps is hkp over tls, what do > you think hkpms is? > > hkpms is the name i've decided to use for a new gpg extension that lets > you verify your keyserver's own TLS key through the OpenPGP web of > trust. (this is known as https://labs.riseup.net/code/issues/2016) > > Currently, the implementation is only available in my own repo [0], but > i'd like feedback and testing. i think this is a sufficiently-tasty new > feature to warrant a new release of msva-perl. Nice dkg! Very cool. I wanted to try the new extension, but it looks like it requires perl IO::Socket::SSL version 1.35. Unfortunately I only see 1.34 in Debian unstable. Do you have a package of 1.35 available somewhere? jamie.
On 12/08/2010 12:04 PM, Jameson Rollins wrote: > I wanted to try the new extension, but it looks like it requires perl > IO::Socket::SSL version 1.35. Unfortunately I only see 1.34 in Debian > unstable. Do you have a package of 1.35 available somewhere? 1.35 is available in unstable: 0 dkg <at> pip:~$ rmadison -u debian libio-socket-ssl-perl libio-socket-ssl-perl | 1.01-1 | etch | source, all libio-socket-ssl-perl | 1.16-1+lenny1 | lenny | source, all libio-socket-ssl-perl | 1.33-1 | squeeze | source, all libio-socket-ssl-perl | 1.35-1 | sid | source, all 0 dkg <at> pip:~$ It contains what i consider to be a critical security fix (it avoids "failing open" when the ca_file or ca_path configs are not set). --dkg
On Wed, 08 Dec 2010 13:31:03 -0500, Daniel Kahn Gillmor <dkg <at> fifthhorseman.net> wrote: > 1.35 is available in unstable: > > 0 dkg <at> pip:~$ rmadison -u debian libio-socket-ssl-perl > libio-socket-ssl-perl | 1.01-1 | etch | source, all > libio-socket-ssl-perl | 1.16-1+lenny1 | lenny | source, all > libio-socket-ssl-perl | 1.33-1 | squeeze | source, all > libio-socket-ssl-perl | 1.35-1 | sid | source, all > 0 dkg <at> pip:~$ Ah, great. Sorry, should have updated first. And it works great! jamie.
It looks like the Mozilla Add-On service is removing their 'self-hosted' option, which is what we are using. I personally don't mind switching to their service, but I think others may have strong opinions otherwise? micah
As announced in October, support for self-hosted add-ons in the Mozilla Add-ons Gallery (addons.mozilla.org) will be discontinued in the coming weeks. We will soon be requiring that all add-ons listed in our gallery be reviewed by an editor, so self-hosted add-ons no longer fit with the security policies we'll have in place. You can read more about this change in our announcement post: http://blog.mozilla.com/addons/2010/10/06/discontinuing-several-features-of-amo/ If you wish for your add-on to stay on addons.mozilla.org, please convert it to fully-hosted no later than December 24. Once our new Developer Tools launch, support for managing self-hosted add-ons will be removed and any remaining self-hosted add-ons will be disabled. You can convert your add-on to fully-hosted from its status page: * Monkeysphere - https://addons.mozilla.org/developers/addon/status/125272 Thanks for participating in our self-hosted add-ons pilot, and we hope you'll choose to host your add-on in our gallery. If you have any questions, please email amo-admins <at> mozilla.org. Mozilla Add-ons Team https://addons.mozilla.org
-- --
RSS Feed18 | |
|---|---|
21 | |
12 | |
2 | |
5 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 | |
1 | |
3 | |
12 | |
10 | |
25 | |
1 | |
7 | |
3 | |
8 | |
8 | |
3 | |
17 | |
42 | |
18 | |
29 | |
41 | |
32 | |
76 | |
29 | |
15 | |
16 | |
18 | |
32 | |
19 | |
96 | |
41 | |
71 | |
29 | |
4 | |
4 | |
7 | |
24 | |
12 | |
9 | |
3 | |
34 | |
79 | |
82 | |
17 |
