Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

From:	Phil Pennock
Subject:	Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Date:	Mon, 8 Oct 2012 13:09:10 -0700

On 2012-10-08 at 21:32 +0200, Kristian Fiskerstrand wrote:
> The certificate presented by keys2.kfwebs.net should be chained
> certificate containing both the CA itself and the individual cert for
> keys2.kfwebs.net. I'm not entirely sure that this is fully required, but
> at least it works for me :)

Right, that tests subjectAltName operation in TLS certificate
verification.  That works.

Unless everyone else _replaces_ their certs with certs issued by you,
that in itself doesn't help: it means you become the only person who can
issue certs for any SKS keyserver's HTTPS interface.

The key is for other people to be able to issue _different_ certs based
on the serverNameIndication in the TLS client hello message; vhosting,
like the Host: header in HTTP, but moved up into the TLS handshake so
that the server can select the correct key/cert pair to use for the
session.

I'll go ahead and send you a CSR shortly, so that sks.spodhuis.org can
have two certs and we can test.  :)

-Phil

pgpwUITE6vxHX.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/05
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/05
  - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Daniel Kahn Gillmor, 2012/10/06
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Stephan Seitz, 2012/10/06
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/06
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock <=
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Stephan Seitz, 2012/10/08
    - Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08

Prev by Date: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Next by Date: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Previous by thread: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Next by thread: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Index(es):
- Date
- Thread