gpg.mozilla.org service has ended

gpg.mozilla.org was an OpenPGP Synchronizing Key Server (SKS) which participated in the global mesh of SKS servers that enabled OpenPGP users to retrieve and publish public keys.

In June of 2019 attackers showed the ease of a certificate spamming attack that can poison clients' OpenPGP installations when the affected certificates are fetched.

Robert J. Hansen, a member of the GnuPG project, was one of the people who's certificate was affected. He has a good writeup on the incident and the impact to the use of SKS keyservers like gpg.mozilla.org.

The vulnerability is recorded in CVE-2019-13050.

As a result of this type of attack being see in the wild, the problems Robert Hansen identifies in his post about mitigating this vulnerability in SKS servers and unrelated operational challenges Mozilla has encountered in operating the gpg.mozilla.org SKS server, we've decided to stop hosting the gpg.mozilla.org SKS service as of September 2020.

For users that have configured their OpenPGP client to use gpg.mozilla.org, we recommend you either stop using the keyserver based features of OpenPGP entirely by removing the keyserver directive in your gpg.conf configuration or you configure your gpg.conf to use keyserver hkps://keys.openpgp.org instead. This will cause your client to use the keys.openpgp.org service as your keyserver which avoids this problem as keys.openpgp.org is not part of the keyserver network.