North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: PGP kerserver infrastructure

  • From: Peter Francis
  • Date: Fri Jun 30 15:13:12 2000

We are currently running a globally load balanced network with dedicated servers available in 15 (and rising) locations in the US and Europe.  We would be happy to run a number of keyservers on our network.

We are using the Foundry ServerIron's global server load balancing which uses a TCP syn/ack based round trip time metric to direct a client to the "closest" site.

Does the key-service answer on a specific TCP port?

If this sounds feasible please point us at info on how to set up a key-server.


Peter Francis Cerrato
Sr. Network Engineer
SoftAware Networks

At 11:13 AM -0700 6/30/00, L. Sassaman wrote:
>Hash: SHA1
>On Fri, 30 Jun 2000, Eric M. Carroll wrote:
>> The Internet has been uniquely successful in introducing a namespace, a
>> hierarchical delegation system, and a root system. We use this system to
>> locate many services. One common one is email service. We use it
>> ubiquitously. Noone argues about the "EMail Service Resource Location
>> Protocol". We use the DNS. End of discussion. Other examples exist, such as
>> http. Each has a slightly different way to interface to the DNS, but at
>> least they are defined.
>Just to restate here:
>Currently, *all* servers serve *all* keys. Unlike an X.500 directory, it
>is very difficult to segment PGP keys into directories. How would one do
>this? Using DNS? Which domain would one choose to use for cataloging the
>keys? (ex.: My key has multiple email addresses, including and
> Which domain would it be under?)
>It is the theory that one keyserver (provided it has 100% uptime, and 100%
>reliable synchronization with the rest of the servers) is sufficient for a
>person using the PGP Keyserver network. Each server is assumed to hold the
>entire world's keys.
>Multiple servers only exist for redundancy and performance benefits.
>Is this the best method? Probably not. There have been numerous proposals,
>for segmenting the public key collection, but none have been
>favored. Given sufficient drive space, this doesn't seem to be a big
>problem, however.
>Since the keyserver network could be viewed as simply one server, since
>each is a mirror of the rest, the only thing we need to focus on if we are
>to use the current model is how to send the user requesting a key to the
>closest, fastest keyserver. Directory structures don't play into this.
>- --Len.
>L. Sassaman
>System Administrator                | 
>Technology Consultant               |  "Common sense is wrong."
>icq.. 10735603                      | 
>pgp.. finger:// |    --Practical C Programming
>Comment: OpenPGP Encrypted Email Preferred.