Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 20 Aug 2013 14:56:00 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
CC: Kurt Seifried <kseifried@...hat.com>, 
 "Eric H. Christensen" <echriste@...hat.com>,
 security@...tgresql.org, kevin@...ye.com
Subject: Re: PostgreSQL insecure install via yum (multiple
 problems)

On 08/20/2013 12:11 AM, Kurt Seifried wrote:
> Dunno who to ask, so adding Scrye: can we make sure Google indexes the
> Fedora key server? This actually raises a good point, what are the key
> servers now? The big 3 used to be:
> 
> http://pgp.mit.edu/
> http://keyserver.pgp.com/
> http://sks-keyservers.net/

None of the above represent the dominant set of keyservers currently
actively gossiping on the 'net today.  Probably the best mechanism to
track actively-syncing peers is pool.sks-keyservers.net  (*not*
sks-keyservers.net on its own).  The various pools in the
pool.sks-keyservers.net subzones are well-maintained DNS round-robins.

for more details, see:

 http://sks-keyservers.net/overview-of-pools.php

If you want to discuss the keyserver network, the dominant keyserver
implementation (SKS) or the DNS pools, the best place to do so is:

  SKS development list <sks-devel@...gnu.org>

GnuPG's default keyserver of keys.gnupg.net is now a CNAME for
pool.sks-keyservers.net, fwiw.

---------------

I agree with Moritz Naumann's analysis of the weakness of the postgresql
RPM key overall -- a 5.5 year-old 1024-bit DSA key is probably not
appropriate for use any more.  If the psql RPM folks are going to do any
work to improve this, they're probably better off starting with a new,
strong key entirely.

If they want to upgrade their key but don't want to change their
documentation at all, they can contact me off-list and i'll help them
generate a 4096-bit RSA key that has the matching short keyID, since
short keyIDs are trivial to spoof these days :P

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.