[Deutsche Version]

The PGP keyservers

What are keyservers for?

The keyservers store the (public) PGP keys and key certificates. Everyone looking for a public PGP key can search this key on the keyservers and finally retrieve the found keys.
The keyservers synchronise each other. If someone add a key to any of the keyserver, this key is distributed to all keyservers.

Because all keys and key certificates are stored on these keyservers, it is possible to verify if a certain key is valid. A key is valid, if it is signed by another trusted key. You find more about that in de explanation of the web of trust.

How to use the keyservers

You can retrieve or deposit keys by email, by a WWW interface or by PGP itself (only > PGP 5.x).

More Documentation can be found on RedIRIS.

The software for the keyserver has been written by Marc Horowitz. See also Running a keyserver.

Where to find the keyservers

The official Keyserver homepage is on http://www.pgp.net/pgpnet/.
A lot of interesting informations about PGP and especially the Keyservers can be found on ES Keyserver Information page.

Some well known keyservers are:

• wwwkeys.nl.pgp.net - der Keyserver in den Niederlanden
• wwwkeys.ch.pgp.net - der Keyserver in der Schweiz

keyserver status

Christoph Martin manages a big brother site to see which keyservers are alive. (down at the moment)

Running a keyserver

The most known keyserver has been written by Marc Horowitz. His software (and some other stuff) is available from http://www.mit.edu/~marc/pks/pks.html

Since September 2002, the software is avaible on Sourceforge, Project pks.

There are other keyserver implementations:

• The SKS OpenPGP Key Server
• CryptNET Keyserver
• OpenPKSD - development state unclear for me.
• OpenPGP Public Key Server a patched version of pksd, but not longer maintened

pks software

There are a lot o patches for his last released version 0.9.4 (released in 1999). I collected some of them:

• pks094-patch2 and pgp signature they are from this original location.
• flood.patch stops flooding caused by multiple revocation certificates.
• kdsearch_error.patch
• JHpatch1.txt and pgp signature from Jason Harris, introducing HKP (WWW) key submissions disabled by default, enabled via configuration file. They are from this original location
• patch_buffoverflow20020525 fixes a problem noticed on bugtraq (buffer overflow with long arguments to the search in HDP requests).
  This was posted by Jason Harris on the keyserver list.

All patches applied: pks-0.9.4_patch2_flood_kdsearcherror_JHpatch1_buffoverflow20020525.tgz and the pgp signature

You can find other patches and a source rpm file at ftp://ftp.rediris.es/rediris/software/pks/pks-0.9.4-8.src.rpm

New patches:

1. patch_pf20020615 fixes the problem of randomly not sending updated signatures to the syncsites. Caused by improperly initialized mymory.

Since September 2002, the software is avaible on Sourceforge, Project pks.

pks contributions

I wrote/changed some scripts to run my keyserver. Perhaps they are usable for others:

• I use pks-mail.sh to store incomming messages. They are only stored and not processed with this script. This prevents waiting sendmail processes if many updates are coming in.
• The script pks-queue-run-forever.sh runs pksd in a controlled environment. This script is very linux related. It chechs the number of running processes to prevent starting too many processes, chechs the number of open files and also does a database recover and restarts pksd if it dies.
  It creates one line of output for every processed incoming file.
• processInFile.pl reads a Mailbox in mbox format and writes every pgp-keyblock in an own file. This is usfull if you store all incomming keyserver messages in such a mailbox and want them to reprocess with pksclient.
  To prevent slow down with many files in one directory, the scripts creates a new directory for every 1000 files (change $groupby to adapt).
• analyseKeyServerRelations.pl reads an mbox and analyses all incrementals. It counts how many incrementals are arrived from who and what are the other keyservers that are in the X-KeyServer-Sent header.