[Answering both emails, from Eric and David]
As David pointed out, there will be a need for `
key.upspin.io` to exist
for any user with a name for which the owner of a domain won't run a
dedicated keyserver.
The proposal for using SRV records for the discovery of keyservers
helps to create a genuinely distributed, yet still global namespace,
that is: maintaining discoverability under proliferation of the
instantiations.
But the proposal doesn't solve or alter the trust issue. As I argued
earlier, from the user's perspective, there is no (technical) reason
to trust the domain owner and maintainer of
key.upspin.io any more
than the domain owner of any other domain. Also, again from the
user's perspective, there is no technical reason to trust the
_contents_ of
key.upspin.io without prior knowledge f.e. of the
fingerprint of a key.
(Using auto-certifiers like letsencrypt doesn't solve the trust issue
neither, as I have to trust the domain- and email-address ownership to
begin with. But again, the proposal is orthogonal to the trust
issue.)
To give you a concrete motivation for my suggested approach:
an...@upspin.io has de-facto been decommissioned, but is still
referred to in various places in the code base (upspin-ui, f.e.).
Let me aggressively extrapolate from this incidence:
There could be a point in time where control over the domain
upspin.io
or the instance
key.upspin.io is lost. The current incarnation of the
global namespace would basically go dark, at least for a while. Using
SRV records, however, would keep the lights on at parts of the global
namespace, making it more resilient.
I think the two suggestions by David and Eric (and two added by me)
are strong requirements for a proper design of the proposal:
- Use
key.upspin.io as the default and SRV lookup results only as
fallback.
- Add warnings on key and keyserver changes. Requires local storage of
that information.
- Add warnings if a username occurs on multiple keyservers with
different keys.
- Maybe generally useful: Provide a mechanism to confirm a public key
of a user's name by providing a fingerprint (acquired by another,
trusted channel).
As for the experiment I ran: I could re-run with the entries in the
still existing
key.upspin.io, of course. For other domains I would
have to somehow guess or find domain-names and then lookup SRV
records. However, this is not any different from, say, currently
self-hosted instances of upspin-keyservers that might or might not be
publicly listed.
As for the SRV-based lookup itself in a potential implementation: I
was thinking to actually run it in a goroutine, in parallel to the
request to
key.upspin.io. That way, we can always evaluate the
consistency of the results without adding much of a delay by another
round trip.
Cheers,
Özgür (Oscar)
Thus spake Eric Grosse (
gro...@gmail.com):
> Nice suggestion. A couple questions, to help me understand:
>
> Q1: If you trust that a few of us monitor the TLS certificates for
>
key.upspin.io and check the
key.upspin.io log checksums, then you have
> some assurance that fake keys are not being selectively given to a
> victim. Do you have as much confidence that nowhere in the world does
> DNS point to a fake
keyserver.kesim.org?
>
> Q2: Suppose all upspin domains adopted SRV records as proposed. We
> could even get rid of
key.upspin.io, which nicely saves me a monthly
> charge for running upspin infrastructure. But then how would you
> re-run your original experiment?
>
> These are not fatal issues; for example, we might shift our trust
> model to an ssh-like warn-upon-keychange. And there could be a
> convention on a central place to post notice of new and changed upspin
> domains. Or we could depart from the attempted global upspin community
> and accept smaller communities of interest.
>
Thus spake David Presotto (
p...@birdsh.it):