Technology Stir Fry, the blog

As a counterpoint to my previous entry about key signing policies, I thought it would be amusing to juxtapose a note that, yet again, using PGP/GPG in the real world has become more difficult.

This time, it’s because one of the most popular ways of acquiring keys for other people — the sks-keyservers.net pool of key servers — has hung up its boots.

The site itself says that this was the result of “GDPR takedown requests”; this appears to mean requests to remove personal information under Article 17 of the GDPR, commonly known as the “right to be forgotten”. Of course PGP/GPG public keys usually include the owner’s name and e-mail addresses as part of the user IDs that are signed to make the web of trust work.

The way the SKS key server software works doesn’t allow removal of a user’s key: it’s designed to propagate every key known to every node. Manually removing a key from a node, even if that were possible, would be futile as it would simply arrive again from another node (or could be uploaded again by a third party).

If you’re looking for a replacement for the SKS key server pool, one option is to find a key server that is still in operation, such as “old faithful” at pgp.mit.edu which is unlikely to be swayed by requests based on the EU-centric GDPR. Some other servers are based on the more modern Hockeypuck software, although it’s not clear to me that it’s any less prone to the same issue that did away with the SKS pool. For the moment, I’m using pgp.re; we’ll see how it goes.

The other service that’s of interest here is keys.openpgp.org. This has been gaining popularity for a while as these days it’s configured as the default key server in a number of packages. It’s probably not going to run into the GDPR issue by virtue of its requirement that if you upload your key there and do nothing else, the user IDs on your key are not displayed on privacy grounds. To make your user IDs visible, you must explicitly request a management link to be sent to your e-mail address, then follow that and enable visibility for the e-mail address on that key. You can also delete the e-mail address from the key if you want.

Unfortunately, by far the majority (upwards of 90%) of the keys in my public keyring are present in keys.openpgp.org but without any user IDs. This makes them essentially useless unless you’ve previously exchanged a copy of the key directly; gpg for example refuses to even import public keys that lack a user ID:

$ gpg --recv 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gpg: key XXXXXXXXXXXXXXXX: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

If you find yourself in this bind, the only option seems to be to somehow figure out who the owner is (which is hard given that the user ID is missing) and then get the full public key from them directly (which makes the use of a key server close to pointless) or get them to go through the management process to expose their user ID. This can be particularly tricky to explain because, of course, everything works fine for them as they have a copy of the full key in their own keyring.

A few months into the current unpleasantness, it became pretty apparent that I wasn’t going to be doing much travelling any time soon. This made my PGP/GPG Key Signing Policy 2013-11-07 (which requires in-person meetings) almost entirely unusable for new signatures.

I still have a need to cross-sign keys with colleages, however, so I have put together a revised PGP/GPG Key Signing Policy 2021-02-25.

The new policy takes advantage of PGP’s ability to specify different signature certification levels depending on the strength of proofing performed (or on other factors; the specification is not precise with respect to the meaning of each level).

A level 3 certification (the only one I have used prior to writing the new policy) is still defined to require in-person physical meeting. I have however added the possibility of using the lower level 2 certification in the case of people who are already known to me who for one reason or another I can only meet on-line. The details are in the policy.

Every HTTP request to this site now includes the following header in the response:

Permissions-Policy: interest-cohort=()

Read on for the rant explaining why.

The photo’s a little bit fuzzy if you click to embiggen, but you don’t see one of those every day.

I can’t remember the last time I’ve seen one in town, in fact. A nice surprise.

I made my first batch of potato gnocchi yesterday.

Texture and taste were pretty good (when cooked, and sauced) but I preferred the photograph above.

No, in a year of lockdown, I have never tried to make Sourdough. Why do you ask?

My haircut is one year old today.

[2021-04-06: The deadline for registering to vote by post for the 2021-05-06 elections has now passed. More than one million people are registered to vote by post in those elections, up by around 250,000. So that’s good.]

(If you don’t live in Scotland, this is probably not very interesting.)

Elections to the Scottish Parliament are scheduled for Thursday 6 May 2021. There’s a small possibility that might need to be pushed back, and there are contingencies for that eventuality, but I don’t think it’s likely to happen unless things get really bad.

Neither do I expect things to get really good by that time, and if you feel the same way it’s worth reflecting that in the UK it is possible to vote by post in this election. You don’t have to give a reason; in fact, there’s nowhere on the form to put one. You do have to apply for a postal vote in advance, however, and the deadline for that is proposed to be brought forward for this election to allow for the expected higher volume of applications.

So, why not take a few minutes and do it now? The generic application can be found on the Electoral Commission site. You can fill out everything but the signature online before printing it out, signing it and posting the form to your local Electoral Registration Officer.

Engineering is about tradeoffs. The upside of the recent changes is that the site is now more readable in general, but there’s always a downside in any tradeoff. The main burr under my saddle with the new design is that in general, sans-serif typefaces tend to shy away from little typographical details. As a typography nerd of long standing, this particular example irks me:

This paragraph is set using $serif. When I say “Hello, world!” I expect you to see curved quotation marks: visibly different glyphs are used for the opening and closing characters. These are commonly likened to “66” and “99” respectively.

On the other hand, using $sans, when I say “Hello, world!” you may well not see any difference between the opening and closing glyphs, particularly at normal text sizes. In Apple’s San Francisco font (the default user interface font on current versions of their operating systems), the two glyphs are different: although they appear to be paired bars sloping in the same direction, in the “66” glyph the tops of the bars are slightly thinner than the bottoms, with the reverse being the case for the “99”. The difference is, I would say, pointlessly small at normal text sizes.

It’s a little more obvious at font-size: xx-large; but still something only a typography nerd would ever care about:

“Hello, world!”

For the benefit of those using a system presenting a different font, here is an image of just the two glyphs, at xx-large size and then magnified by a factor of two just to be sure:

There’s always a downside. The trick, I suppose, is reducing it to the point where you can accept it. This is acceptable, but still sometimes irritating.

I did find the issue irritating enough in <blockquote>s like this that you will see that the large glyphs surrounding the block are in fact set in a serif typeface, although the body is sans-serif.

I have a long list of changes to make to this site one day, when I get the time or (more plausibly) when I am looking for a distraction.

This year, I have finally addressed the first of these, and if you’re reading this on the site rather than in a feed reader you may notice that most text now appears in the sans-serif font used by your operating system’s user interface. These fonts are usually highly optimised for screen use, and the result in most cases will be an improvement in readability, particularly on smaller devices.

This change sounds simple (and in the end, it was very straightforward) but required a lot of behind-the-scenes work to get to the point where it was simple to do.

If you’re interested, read on for details.

It’s the first day of October, and an OmniFocus task tells me it’s time to review what happened last quarter so that I can set goals for the next three months.

My mind is blank. I can’t think of a single thing I’ve achieved in the last three months. I mean, I remember doing some things, they are just unmoored in time. Did that thing happen in June, or was it February?

I’ve always had a pretty bad memory for events, and I think my brain is working as well as it ever has in most ways. I’m more inclined to the theory that I’m just experiencing the passage of time differently now that every day is the same as the last. The usual milestones — birthdays, anniversaries, conferences — just don’t exist any more and I can’t navigate without them.

I have often kept workbooks for long periods when it made sense, with 2003–2013 being the most recent block. I fell out of the habit, I think, when the nature of the work I was doing changed. These days, I tend to write copious working notes in applications like Bear but there’s no time component to those.

Coincidentally, 2013 seems to have been the year when I first tried journaling as a way of sorting out my thoughts at the end of the day. This seems to have been too vague a goal, and it didn’t stick: I did get my first introduction to the Day One journaling application, however. I’ve played with it a couple of times since.

How do I know this? Well, it’s all in Day One, of course. I still own the application, and seem to have been grandfathered into a lifetime legacy “Plus” status which gives me the basics of the application and (most importantly) sync across all my devices for free.

My new plan, then, is to start journaling again from today, but this time with the very specific goal of at least recording what I’ve been working on. In three months time, we’ll see whether a review of the quarter is feasible again, even if the temporal structure of my life hasn’t returned more naturally.