OpenPGP: Desperately Seeking Kristian

Sergio De Los Santos    6 July, 2020
OpenPGP: Desperately Seeking Kristian

A year ago, OpenPGP was suffering from a problem of vandalism in its key servers. The system was dying and needed a change that was not trivial without betraying principles based on a 1990s Internet, naive in today’s eyes. Recently, a simple anecdote shows once again some serious shortcomings, an anachronism unworthy of today’s networks. An unbreakable will but unable to adapt to the new times that continues to seek Kristian desperately.

What’s Happened?

This image has an empty alt attribute; its file name is image-71.png

Key servers (SKS) are essential to the OpenPGP infrastructure. They ensure that we can locate people’s public keys. They allow these keys to be incorporated into the system and ensure that they are never lost and replicated to provide availability. To interact with them, the OpenPGP HTTP Keyserver protocol (HKP) is used. Through port 11371 keys can be uploaded and searched.

Public servers have never worked properly, and they have too many shortcomings. To test it, just connect to any key system (such as https://pgp.mit.edu) and search for keys. After several server errors (and adapting the eye to the 90s aesthetics), you may have the answer. It’s the same with https://keys.gnupg.net, https://pgp.key-server.io or any other. Unreliable and poorly-maintained servers are the root of public cryptography.

HKP over TLS is called HKPS. The hkps.pool.sks-keyservers.net server is responsible for the “pool” of HKPS servers that brings them together, arranges and “sorts” them from a DNS point of view so that they can be known and coordinated. To join the pool, servers must be validated and certified by their own CA, that allows their encrypted communication. This CA has been maintained manually by a single person for more than 10 years: Kristian Fiskerstrand.

The point is that Todd Fleisher, who manages one of those servers, had his certificate expired, one that allowed him to communicate with the main server and stay within the pool, therefore coordinated with the remaining servers. He tried “desperately” to contact Kristian for a month. Time was against him. Kristian gave no sign of life, neither by mail nor on social networks. 

Finally, his certificate expired, and he had to get one from Let’s Encrypt just to keep encrypting communications. He was aware that the pool hkps.pool.sks-keyservers.net  would not trust him, but at least it allowed him to keep working without synchronisation. Shortly after, Kristian replied. Without giving any further reasons, he said he had been on other business during the last month. He renewed his certificate. If it had taken longer, the other servers would have expired, and the pool would have ignored them.

Why Did This Happen?

Because a centralised critical point (that makes it possible the decentralised use of OpenPGP) is in the hands of a single person who voluntarily maintains it. A system from another decade (and not even the last one) prone to errors, failures and dependent on good will. Romantic but impractical.

We love free software, but let’s not forget that it also requires funding so that not just one person, but a team, can invest the corresponding time. Because we’re talking about a free encryption system, whose grandfather was the standard-bearer of cypherpunk in the 90s, and which Phil Zimmerman fought for. Let’s remember that until the year 2000, the export of cryptography outside the United States was very limited.

This image has an empty alt attribute; its file name is image-69.png

This is not the only problem with OpenPGP. Thunderbird, a classic that has experienced all kinds of problems (Mozilla wanted to get rid of it for a while to focus its efforts on Firefox) gave good news. In October 2019 Mozilla announced that it wanted to add native OpenPGP support to its Thunderbird email client. This meant removing its Enigmail extension, the queen for managing S/MIME and OpenPGP in the mail.

This fact brought to light some realities of the software world that, in the field of free and open source, are perhaps more surprising because of the expectations generated. Enigmail works almost miraculously. This means that Enigmail’s interface uses command line calls and collects the result that redraws in Thunderbird, with all the problems that this can entail. This is certainly not an ideal scenario, but it has been done for many, many years and nothing better has come up. Enigmail is a project of a few people in their free time living on donations. They’ve been maintaining it for over 15 years and, when they know they’re going to have to kill it, they even offer to help the Thunderbird development team get it integrated.

Even so, Thunderbird had to face licensing issues to incorporate encryption into its client natively, but there was a condition: if the effort made Mozilla lose focus on Firefox, it wouldn’t be worth it. However, it seems that it’s almost integrated. We can see the following message in the latest versions of Thunderbird:

This image has an empty alt attribute; its file name is image-65.png

This essentially means that they haven’t been able to make the two systems compatible for a while, neither Enigmail nor the new integrated system are working well in the latest versions. They haven’t had time. So you have to choose an outdated version of Thunderbird if you want to use OpenPGP with Enigmail for a period.

What Else Is Going to Happen?

This image has an empty alt attribute; its file name is image-62.png

A critical system can’t be maintained by good will. It requires critical mass of use (beyond promotion), investment (and not just donations), collaborations (beyond good words), infrastructure and people. Above all, people. It cannot depend on literally one single technician for a critical part of the system, because he puts all its functionality at risk. Free software can’t be seeking Kristian desperately.

Leave a Reply

Your email address will not be published. Required fields are marked *