Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

[Kristian Fiskerstrand]

On 10/08/2012 11:05 PM, Stephan Seitz wrote:
> 

..

> Hi guys,

Hi Stephan,


> 
> sorry for asking dumb questions, but this is something far beyond my
> daily business ;)
> 
> I recently created a key /csr for keyserver.secretresearchfacility.com .
> It's signed by a CA, so I currently do have a valid crt.
> 
> As I read your posts, I guess I should  create a new csr for that key
> like:
> 
> subjectAltName = @alt_names
> 
> [alt_names]
> DNS.1 = keyserver.secretresearchfacility.com
> DNS.2 = hkps.pool.sks-keyservers.net

You don't need this part in the CSR, I ignore the subjectAltNames given
in the request and add it myself.


> and glue the results (my key, the two crt's and the intermediate(s))
> together?
> 
> I don't believe this will work ;)
> 

Neither do I :)

> 
> Another approach could be SNI, couldn't it?
> 

Yup

> I already use namebased vhosts (thank's for your explanation of TLS,
> phil), so I could configure two proxies which are identical despite the
> hostname and the certificates. That way, I would use two different
> keys / crts without the need for subjectAltName.
> 

Again, yup

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
"Great things are not accomplished by those who yield to trends and fads
and popular opinion."
(Jack Kerouac)
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

signature.asc
Description: OpenPGP digital signature