Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

[Kristian Fiskerstrand]

On 10/08/2012 10:09 PM, Phil Pennock wrote:
> On 2012-10-08 at 21:32 +0200, Kristian Fiskerstrand wrote:
>> The certificate presented by keys2.kfwebs.net should be chained
>> certificate containing both the CA itself and the individual cert for
>> keys2.kfwebs.net. I'm not entirely sure that this is fully required, but
>> at least it works for me :)
> 
> Right, that tests subjectAltName operation in TLS certificate
> verification.  That works.
> 
> Unless everyone else _replaces_ their certs with certs issued by you,
> that in itself doesn't help: it means you become the only person who can
> issue certs for any SKS keyserver's HTTPS interface.

Well, to be a pedant, only for the servers that are to be included in
the hkps pool :p


> 
> The key is for other people to be able to issue _different_ certs based
> on the serverNameIndication in the TLS client hello message; vhosting,
> like the Host: header in HTTP, but moved up into the TLS handshake so
> that the server can select the correct key/cert pair to use for the
> session.
> 
> I'll go ahead and send you a CSR shortly, so that sks.spodhuis.org can
> have two certs and we can test.  :)
> 

Lovely! Must admit my setup is a tad more plain than that (just using
nginx in front of SKS) :) Will be interesting to see how that goes.

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Veni vidi visa
I came, I saw, I bought
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

signature.asc
Description: OpenPGP digital signature