keys keys

The SKS OpenPGP
Key Server

SKS is a new OpenPGP keyserver whose goal is to provide easy to deploy, decentralized, and highly reliable synchronization.  That means that a key submitted to one SKS server will quickly be distributed to all key servers, and even wildly out-of-date servers, or servers that experience spotty connectivity, can fully synchronize with rest of the system. You can see SKS in action here:

And there are many more. Go here to see the members of a pool of sks keyservers.

The foundation of SKS is an efficient algorithm for reconciling remote data sets.  That algorithm is described in the following papers:

Downloading

SKS tarballs can be gotten from here, and there's also an hg repo. You can subscribe to the mailing list here.

Documentation

There isn't a lot of documentation at present, but you can get a lot of information from the mailing list. You can also look at the man page and the README from the distribution.

Features

  • Highly efficient and reliable reconciliation algorithm
  • Follows RFC2440 and RFC2440bis carefully --- unlike PKS, SKS supports new and old style packets, photoID packets, multiple subkeys, and pretty much everything allowed by the RFCs.
  • Fully compatible with PKS system --- can both send and receive syncs from PKS servers, ensuring seamless connectivity.
  • Simple configuration:  each host just needs a (partial) list of the other participating key servers.  Gossip is used to distribute information without putting a heavy load an any one host.
  • Supports HKP/web-based querying, and machine readable indices
The design of SKS is deliberately simple.  The server consists of two single-threaded processes.  The first, "sks db", fulfills the normal jobs associated with a public key server, such as answering web requests.  The only special functionality of "sks db" is that it keeps a log summarizing the changes to the key database.   "sks recon" does all the work with respect to reconciling hosts databases.   "sks recon" keeps track of specialized summary information about the database, and can use that information to efficiently determine the differences between its database and that of another host.

An important aspect of this design is that "sks recon" is largely decoupled from "sks db".  This means that with a bit of work, it should be possible to augment existing key servers to use the same reconciliation system.  Indeed, there isn't much about "sks recon" that is specific to PGP, and so the same code could be extended to apply to other databases.