The state of OpenPGP key servers: Kristian, can you renew my certificate? A month later: Kristian? Ten days later: Too late, it’s expired

There was a time when there was a certain amount of pride in the fact internet engineers all knew one another, that systems critical to the internet’s functioning were run in the back of other facilities, and a single person was often in charge of whole services.

Fortunately those times have changed, and global communication networks are now run a little more professionally, with clear points of contact, dedicated rooms and staff, and multiple checks and balances to ensure things run smoothly.

Or so we thought.

“Hi all, Has anyone seen or heard from Kristian in the last month or so?” asked Todd Fleisher earlier this month – in fact, 11 June – on the main mailing list for an important cluster of OpenPGP key servers. “I’ve reached out several times off list about the upcoming expiration of my server’s certificate for the HKPS pool but have not received any response.”

Todd was referring to Kristian Fiskerstrand who has run the SKS keyserver pools, which are relied upon by various applications using OpenPGP for encryption. Fiskerstrand, who had seemingly gone AWOL, issues cryptographic certificates to servers that join the SKS keyserver pools, allowing these volunteer machines to share the load in securely handling key lookup requests. It's these certs that were in danger of expiring, forcing them out of the collective.

No one knew where Kristian was. Try his Twitter handle, suggested one: but he hadn’t posted there for over a year. What about his Facebook, suggested another with a link? Nope, no activity there, either.

This wasn’t the first time Todd has tried to get Kristian to renew his certs: he had posted a similar message the previous month and heard nothing. Now Todd was getting worried: “My certificate expires in 10 days, at which point I will no longer be able to serve requests for hkps.pool.sks-keyservers.net and will have to generate my own certificate so other clients can continue to securely access my server directly,” he warned.

It gets worse

And it went further than that too, Todd noted: “The SKS HKPS certificates of the only other servers in the pool expire in 36 days. If new certificates are not minted by that time the SKS HKPS pool will become defunct. If anyone has other channels by which to reach Kristian, please use them to reach out and make sure he is OK & aware of this impending issue.”

But nobody could track Kristian down and no responses were forthcoming. Ten days later, and presumably having tried numerous other ways to get hold of the man running the keyserver pools, a resigned Todd posted back to the list.

“The certificate has now expired and been replaced with a standard SSL certificate from Let’s Encrypt. As such, it will no longer be able to field requests… 25 days until Dan Austin’s certificates expire on the remaining nodes in the pool.”

This is seemingly not the first time there have been issues with the widely used keyserver pool.

A year ago last week, a new OpenPGP keyserver was launched at keys.openpgp.org to “to provide an alternative to the SKS Keyserver pool,” which its founders noted had “been struggling with abuse, performance, as well as privacy issues, and more recently also GDPR compliance questions.”

It was a community effort led by three OpenPGP advocates providing secure email and certificate services. As they noted at the time: “Kristian Fiskerstrand has done a stellar job maintaining the pool for more than ten years, but at this point development activity seems to have mostly ceased. We thought it time to consider a fresh approach to solve these problems.”

Fresh approach indeed. Because if there one thing that internet engineers have learned since the days of Jon Postel, it’s that leaving your infrastructure in the hands of a single person, no matter how well meaning, is rarely a good idea.

AWOL

There are countless examples of how administrators and maintainers accidentally created havoc by losing emails, forgetting deadlines, going on holiday, or falling sick. There’s even the case of one sysadmin in charge of an entire country’s top-level domain disappeared and left the entire system in limbo.

It was 2002 and Afghanistan: Abdul Razeeq, administrator of .af, could not be reached. Some suspected he had been killed during the bombing of Kabul by US armed forces days earlier. But, fortunately for everyone, Razeeq popped up just in time to sign over .af to the US interim administration before never being heard from again.

You can still see the one paragraph letter [PDF] he signed handing over the top-level domain. A letter that is not in any way suspicious and was definitely signed by Abdul Razeeq, no doubt about it.

Had the same fate befallen SKS’ Kristian Fiskerstrand?

No. Because the day after Todd’s certificates expired – today, Tuesday, in fact – up popped Fiskerstrand. “I'm around here,” he informed the mailing list, “Just focusing on everything else than computers lately, sorry about that (but it has really been nice..) Will get around to issuing a new certificate for you (Todd) later today or tomorrow.”

Yeah, thanks for everything, Kristian; it’s time to move to keys.openpgp.org. ®