11

I want to know technical details about how public PGP keyservers synchronize the keys.

If I send my key to one keyserver, how exactly does it "travel" to all the other ones? Who sends it to who and how? What would I need to know it I wanted to write my own public key server software from scratch?

I am trying to look for either some protocol description or even the actual code that takes care of this, but I cannot find it.


One of the examples I had in mind were keyservers like http://pgp.mit.edu and http://pgp.zdv.uni-mainz.de. As far as I know, if I upload a key to the first one, it gets somehow "magically" transfered to the other one, and then dozens of other keyservers publicly found on the internet.

I am asking for concrete standards how those keyservers exchange the submitted keys, and if there is not one concrete strategy, then what strategies are usually used.

Karel Bílek
  • 746
  • 1
  • 8
  • 18
  • This is a pretty broad topic. Not all keyservers share with other keyservers. There's probably no specific protocol for it. – RoraΖ Feb 19 '15 at 14:41
  • OK, so what is the "standard" way? For example, I submitted my key to pgp.mit.edu, but it somehow "magically" appeared at pgp.zdv.uni-mainz.de, and I am not sure how – Karel Bílek Feb 19 '15 at 14:44
  • That's probably a question [for them](https://pgp.mit.edu/about.html). Unless someone here supports that server, I doubt we'd be able to answer that. – RoraΖ Feb 19 '15 at 14:52
  • 2
    I'd consider that question _very well answerable_ and had an answer pretty much complete within four paragraphs, even discussing the key servers specifically mentioned and giving an overview. Voting to repopen, this question is _not_ too broad. – Jens Erat Feb 19 '15 at 15:13
  • @JensErat well I cannot reopen it :) – Karel Bílek Feb 19 '15 at 15:52
  • @JensErat I have reworded the question to be less broad – Karel Bílek Feb 19 '15 at 19:59
  • Wait for others finding the question in the review queue and finally being reopened. We're at two of five reopen votes right now (I'm not sure if you can see that yet or still lacking reputation). Just wait and relax for others getting home from work and cleaning up review queues. ;) – Jens Erat Feb 19 '15 at 20:01
  • @JensErat OK, I found the SE rules in the meantime. Thanks! – Karel Bílek Feb 19 '15 at 20:02
  • For your information: three of five reopen votes now. – Jens Erat Feb 19 '15 at 20:23
  • One of the standard architectures in use is the Synchronizing Key Server architecture (https://sks-keyservers.net/). – Ari Trachtenberg Feb 19 '15 at 21:10

1 Answers1

10

Key server synchronize using different protocols, forming a network of more than hundred servers all around the world involved.

E-Mail Synchronization

The "old" way of key server synchronization is based on the key servers sending e-mails to each other. Whenever a key server receives new information he doesn't know yet (either uploaded by a user or received from another key server), he forwards these information to all other key servers in his synchronization list.

SKS Protocol

Because the old e-mail based protocol doesn't scale very well (especially with the number of servers in the synchronization list), a new protocol was defined for the Synchronizing Key Server (SKS), which is based on set reconciliation.

These key servers "gossip" with each other in a given time interval. From a very basic point of view, set reconciliation orders the keys in a so-called partition tree, which allows to find the differences easily without transmitting a lot of information. Only the modified keys are then exchanged.

MIT and University of Mainz Key Servers

For SKS keyservers (and also Hockeypuck, which is another implementation of the SKS protocol), the gossip partners can be retrieved by fetching their statistics page, available as http://[keyserver]:11371/pks/lookup?op=stats. Looking at the statistic pages of both the MIT key server and the one of the University of Mainz, one will realize they even have a direct, mutual synchronization agreement (look at the "Gossip Peers" column).

The key server of the CCC Hanau on the other does not directly gossip with the one of the MIT. If you upload a key to any of these servers, the other will not get aware of it directly, but through the intermediate server of the University of Mainz (or on any other synchronization path).

Visualizing the Whole Key Server Network

The SKS keyserver pool crawls the key server network periodically, and provides a dot file of the key server network (of all servers in the SKS pool, not including synchronization links based on the old e-mail synchronization algorithm).

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • Thank you! So, can I now make a new SKS server and start synchronizing with other already existing SKS servers? Or do I understand it wrong? edit: oh, I found it here - https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering . Thanks, you helped me a lot – Karel Bílek Feb 23 '15 at 09:59
  • 1
    Yes. You'd setup the server, fetch a key dump (several key servers provide them) and import it. Then, ask for peers on the SKS mailing list. The SKS homepage has some information available on setting up a key server, but there are definitely easier things to get running. Setting up a key server will require some reading. – Jens Erat Feb 23 '15 at 10:02
  • Again thanks for pointing me in the right direction – Karel Bílek Feb 23 '15 at 10:05