Commit ce7356cc authored by Vincent Breitmoser's avatar Vincent Breitmoser

about: write "three months later" news entry

parent 52e86328
Pipeline #81905134 passed with stage
in 17 minutes and 46 seconds
......@@ -2,10 +2,186 @@
<div class="about">
<center><h2><a href="/about">About</a> | News | <a href="/about/usage">Usage</a> | <a href="/about/faq">FAQ</a> | <a href="/about/stats">Stats</a> | <a href="/about/privacy">Privacy</a></h2></center>
<h3>
<h2 id="2019-09-12-three-months-later">
<div style="float: right; font-size: small; line-height: 2em;">2019-09-12 📅</div>
<a style="color: black;" href="/about/news#2019-09-12-three-months-later">Three months after launch ✨</a>
</h2>
<p>
It has been three months now
<a href="/about/news#2019-06-12-launch">since we launched</a>
<span class="brand">keys.openpgp.org</span>.
We are happy to report:
It has been a resounding success!
🥳
<h4>Adoption in clients</h4>
<p>
The
<span class="brand">keys.openpgp.org</span>
keyserver has been received very well by users,
and clients are adopting it rapidly.
It is now used by default in
<a href="https://gpgtools.org/" target="_blank">GPGTools</a>,
<a href="https://enigmail.net/" target="_blank">Enigmail</a>,
<a href="https://www.openkeychain.org/" target="_blank">OpenKeychain</a>,
<a href="https://github.com/firstlookmedia/gpgsync" target="_blank">GPGSync</a>,
Debian,
NixOS,
and others.
Many tutorials have also been updated,
pointing users our way.
<p>
At the time of writing,
more than 70.000 e-mail addresses
have been verified.
<center style="margin-top: 2em; margin-bottom: 2em;">
<img src="/assets/img/stats-addresses-2019-09-12.png" style="padding: 1px; border: 1px solid gray;" /><br />
<span style="font-size: smaller;">If that isn't a promising curve, I don't know what is :)</span>
</center>
<p>
A special shout-out here goes to GPGTools for macOS.
They implemented the update process so smoothly,
the number of verified addresses completely exploded
when they released their update.
<h4>All's good in operations</h4>
<p>
There is not a lot to report operationally,
and no news is good news in this case!
Since launch,
there was nearly zero downtime,
only a single bug came up
that briefly caused issues during upload,
and support volume has been comfortably low.
<p>
Our traffic is currently
at about ten requests per second
(more during the day, less on the weekend),
and we delivered roughly 100.000 mails
in the last month.
No sweat.
<p>
We made several small operational improvements
including deployment of
<a href="http://dnsviz.net/d/keys.openpgp.org/dnssec/" target="_blank">DNSSEC</a>,
implementing some
<a href="/about/api#rate-limiting" target="_blank">rate-limiting</a>,
nailing down our
<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">content security policy</a>
headers,
and enabling
<a href="https://blog.torproject.org/whats-new-tor-0298" target="_blank">single-hop</a>
mode on our Tor Onion Service.
You can find a more complete list
<a href="https://gitlab.com/hagrid-keyserver/hagrid/merge_requests?scope=all&utf8=%E2%9C%93&state=merged" target="_blank">here</a>.
<h4>Secure mail delivery with MTA-STS</h4>
<p>
One improvement that deserves special mention is
<a href="https://www.hardenize.com/blog/mta-sts">MTA-STS</a>,
which improves the security of outgoing e-mails.
<p>
While HTTPS is deployed fairly universally these days,
that sadly isn't the case for E-Mail.
Many servers don't do encryption at all,
or use a self-signed certificate
instead of a proper one (e.g. from Let's Encrypt).
But delivery failures upset customers more
than reduced security,
and many mails are still delivered without encryption.
<p>
With MTA-STS, domain operators can indicate
(via HTTPS)
that their mail server <em>does</em> support encryption.
When a secure connection can't be established
to such a server,
message delivery will be postponed
or eventually bounce,
instead of proceeding insecurely.
<p>
This is extremely useful for service like
<span class="brand">keys.openpgp.org</span>.
If encryption isn't reliable,
attackers can intercept verification mails relatively easily.
But for providers who have MTA-STS deployed,
we can be sure that
every message is delivered securely,
and to the right server.
<p>
You can <a href="https://aykevl.nl/apps/mta-sts/" target="_blank">run a check</a>
to find out whether your e-mail provider
supports MTA-STS.
If they don't,
please drop them a message and tell them
to step up their security game!
<h4>Work in progress</h4>
<p>
We are working on two features:
<p>
The first is <strong>localization</strong>.
Most people do not speak English,
but so far that is the only language we support.
To make this service more accessible,
we are working with the OTF's
<a href="https://www.opentech.fund/labs/localization-lab/" target="_blank">Localization Lab</a>
to make the website and outgoing e-mails
available in several more languages.
<p>
The second is to bring back
<strong>third-party signatures</strong>.
As <a href="/about/faq#third-party-signatures">mentioned in our FAQ</a>,
we currently don't support these due to spam and potential for abuse.
The idea is to require
<a href="https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/20/diffs" target="_blank">cross-signatures</a>,
which allow each key to choose for itself
which signatures from other people it wants to distribute.
Despite this extra step,
this is fairly compatible with existing software.
It also nicely stays out of the way of users
who don't care about signatures.
<p>
Although work is in progress for both of those features,
neither have a planned time of release yet.
<p>
Regarding the "<tt>no user ID</tt>" issue with GnuPG
(mentioned in our
<a href="/about/news#2019-06-12-launch-challenges">last news post</a>
and our
<a href="/about/faq#older-gnupg" target="_blank">FAQ</a>),
a patch that fixes this problem is now carried by Debian,
as well as GPGTools for macOS.
GnuPG upstream has not merged the patch so far.
<p>
That's it!
Thanks for your interest!
<span style="font-size: x-large;">👋</span>
<hr style="margin-top: 2em; margin-bottom: 2em;" />
<h2 id="2019-06-12-launch">
<div style="float: right; font-size: small; line-height: 2em;">2019-06-12 📅</div>
<a href="/about/news#2019-06-12-launch">Launching a new keyserver! 🚀</a>
</h3>
<a href="/about/news#2019-06-12-launch" style="color: black;">Launching a new keyserver! 🚀</a>
</h2>
<p>
From a community effort by
......@@ -89,7 +265,7 @@
We hope that this will also give us some momentum
to build this project into a bigger community effort.
<h4>Current challenges</h4>
<h4 id="2019-06-12-launch-challenges">Current challenges</h4>
<p>
Privacy-preserving techniques in keyservers are still new,
......@@ -127,6 +303,7 @@
and an <a target="_blank" href="/about/faq#tor">Onion Service</a>!
<p>
Cheers! 🍻
Cheers!
<span style="font-size: x-large;">🍻</span>
{{/layout}}
......@@ -9,6 +9,6 @@
<hr />
<p>
<strong>News:</strong> <a href="/about/news#2019-06-12-launch">Launching a new keyserver! 🚀</a> (2019-06-12)
<strong>News:</strong> <a href="/about/news#2019-09-12-three-months-later">Three months after launch ✨</a> (2019-09-12)
</p>
{{/layout}}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment