[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
|
From: |
Stephan Seitz |
|
Subject: |
Re: [Sks-devel] sks-keyservers.net New HKPS subpool added |
|
Date: |
Sat, 06 Oct 2012 11:12:57 +0200 |
Am Samstag, den 06.10.2012, 02:28 -0400 schrieb Daniel Kahn Gillmor:
> On 10/05/2012 06:23 PM, Phil Pennock wrote:
> > Speaking for myself, I only use TLSv1+ and my nginx is built with SNI
> > support, so if you want to figure out a policy for handing out certs, I
> > can add a new cert for SNI hostnames in *.pool.sks-keyservers.net.
>
> alternately (or in addition?), we could use monkeysphere and the hkpms
> gpg keyserver handler, which would let us trivially add extra hostnames
> to each keyserver's certificate (an OpenPGP certificate, not X.509).
I'ld like to add ssl to my server, but prior I'm afraid I need a few
questions answered.
If I'm going to install a self-signed *.pool.sks-keyservers.net, that
CRT wouldn't have any reputation. As long as there's no additional trust
added (e.g. via monkeysphere), one main purpose of certificates, the
knowledge of talking to the right server, isn't given.
Maybe I'm completely wrong, but if every pool member installs his/her
own self-signed CRT (which obviously needs to be done, as this CRTs
needs to cover the particular hostname as well as
*.pool.sks-keyservers.net), clients would have to fiddle with a lot of
different fingerprints. Wouldn't that weaken the trustworthy?
I'm also concerned about the self-signed CAs. If we're going to
self-sign certs, shouldn't we send the CSRs to Kristian to have it
signed by his CA?
Oh, and one slightly off-topic question. Does some of you know the
current acceptance of TLS1.1/SNI in the web? I'ld need to switch to SNI
for Port 443.
cheers,
Stephan
signature.asc
Description: This is a digitally signed message part
- [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/05
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/05
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Daniel Kahn Gillmor, 2012/10/06
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added,
Stephan Seitz <=
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/06
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08