From the Canyon Edge -- :-Dustin

Monday, February 11, 2013

Introducing Hockeypuck -- a new HKP server

[Prerequisite: You should first read Casey's introduction
to HKP and Hockeypuck on his blog here.]

Anyone who has ever used Ubuntu, Debian, Launchpad, or apt-get has implicitly trusted a sophisticated public key distribution protocol called "HKP" or, HTTP Keyserver Protocol.  Originally designed for encrypting and signing email, asymmetric key pairs are used to sign, encrypt, decrypt and check signatures of thousands of packages on almost any Linux system.

Many (most?) public key servers today, such as, use an open source package called SKS (synchronizing key server) to distribute public keys.

Within Gazzang's zTrustee product, we rely on HKP to exchange public keys between client's and server.  In our first implementation, we simply used SKS as installed from the Ubuntu repositories.  SKS worked well in some environments, but it didn't scale well to larger environments, where hundreds of thousands of clients running on cloud servers were exchanging public keys in an automated fashion.

Moreover, we envisioned a system where user and host public SSH keys and server public SSL certificates might be exchanged in the same fashion, using the same protocol.  We considered trying to extend SKS to improve the scalability and feature set.

In the end, we decided a new HKP implementation, leveraging a modern, high performance NoSQL key-value store -- MongoDB -- and written in modern language -- The Go Programming Language -- would enable us to build a more efficient, type-safe, memory-safe, concurrent, garbage-collected, fast implementation of HKP.  We could also extend the feature set with a nice user interface and natively support other public keys.

With the general ideas fleshed out, my esteemed colleague, Casey Marshall, got to work on Hockeypuck -- his implementation of HKP in Golang and MongoDB -- freely available under the AGPL.  All credit for the development of Hockeypuck up to this point goes entirely to Casey :-)  That said, he's really quite interested in outside contributions and help at this point, so if you're proficient in Golang and looking to contribute to an awesome security project, here's your bogey!

We at Gazzang are hosting a reference Hockeypuck server at:

But you don't have to use our Hockeypuck server ... we're absolutely delighted that Hockeypuck has been accepted into Ubuntu's 13.04 (raring) distribution in Universe.  It's as easy as:

$ sudo apt-get install hockeypuck

in Ubuntu 13.04 to get your Hockeypuck server up and running.  For other Ubuntu releases, Casey is publishing backports to a stable and an unstable PPA.

This server has successfully imported the world's current public key ring -- that's 4GB of OpenPGP public key information!  Casey's still working on the synchronization, which is based on SKS's "recon protocol".  Again, if you're into hard core polynomial math, can read and understand OCaml, and are interested in re-working that algorithm in Golang, get in touch with us :-)

We're really, really interested in your feedback at this point!  You can file bugs against the project and packages here.  We're also looking for your feature requests...  How would you like to use a public key server?  Would you find it useful to import your SSH server or host public keys from a key server?  Would you find it useful to see "badges" by keys, indicating that key's level or trust?  Or perhaps that a key has been "verified"?  What about linking public keys to OpenID or OAuth logins?  Or what about [insert your idea here!]...

Comments?  Bring 'em on!


1 comment:

  1. Any gotchas on deploying a server? I'd like to take a stab at charming this.


Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.