North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: PGP kerserver infrastructure
We are currently running a globally load balanced network with dedicated servers available in 15 (and rising) locations in the US and Europe. We would be happy to run a number of keyservers on our network. We are using the Foundry ServerIron's global server load balancing which uses a TCP syn/ack based round trip time metric to direct a client to the "closest" site. Does the key-service answer on a specific TCP port? If this sounds feasible please point us at info on how to set up a key-server. Thanks, Peter Francis Cerrato Sr. Network Engineer SoftAware Networks At 11:13 AM -0700 6/30/00, L. Sassaman wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Fri, 30 Jun 2000, Eric M. Carroll wrote: > >> The Internet has been uniquely successful in introducing a namespace, a >> hierarchical delegation system, and a root system. We use this system to >> locate many services. One common one is email service. We use it >> ubiquitously. Noone argues about the "EMail Service Resource Location >> Protocol". We use the DNS. End of discussion. Other examples exist, such as >> http. Each has a slightly different way to interface to the DNS, but at >> least they are defined. > >Just to restate here: > >Currently, *all* servers serve *all* keys. Unlike an X.500 directory, it >is very difficult to segment PGP keys into directories. How would one do >this? Using DNS? Which domain would one choose to use for cataloging the >keys? (ex.: My key has multiple email addresses, including quickie.net and >pgp.com. Which domain would it be under?) > >It is the theory that one keyserver (provided it has 100% uptime, and 100% >reliable synchronization with the rest of the servers) is sufficient for a >person using the PGP Keyserver network. Each server is assumed to hold the >entire world's keys. > >Multiple servers only exist for redundancy and performance benefits. > >Is this the best method? Probably not. There have been numerous proposals, >for segmenting the public key collection, but none have been >favored. Given sufficient drive space, this doesn't seem to be a big >problem, however. > >Since the keyserver network could be viewed as simply one server, since >each is a mirror of the rest, the only thing we need to focus on if we are >to use the current model is how to send the user requesting a key to the >closest, fastest keyserver. Directory structures don't play into this. > > >- --Len. > >__ > >L. Sassaman > >System Administrator | >Technology Consultant | "Common sense is wrong." >icq.. 10735603 | >pgp.. finger://ns.quickie.net/rabbi | --Practical C Programming > > > > > > > > >-----BEGIN PGP SIGNATURE----- >Comment: OpenPGP Encrypted Email Preferred. > >iD8DBQE5XONSPYrxsgmsCmoRAnPiAKC9TmoF0Dw7N8/XZGoXZwXvMJvemwCeMJbD >EEBKwu6Zn4rqpHQKGAXuN98= >=xAoO >-----END PGP SIGNATURE-----
|