Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

[Kristian Fiskerstrand]

On 10/08/2012 11:08 PM, Phil Pennock wrote:
> On 2012-10-08 at 23:01 +0200, Kristian Fiskerstrand wrote:
>> That seems like another bug to add to the SRV port not being used for
>> SRV handling. Are you sending it over to gnupg-{users,devel}?
> 
> I just filed a bug:
> 
>   https://bugs.g10code.com/gnupg/issue1447
> 
>> I'll have to remove the SRV record for keys.kfwebs.net for the pool to
>> function correctly at the moment, as this is not handled. But that bug
>> has already been reported upstream.
>>
>> Any thoughts on how I should proceed? Should I disable the cert check in
>> my crawler so that all hkps servers show up for now until some more of
>> the server operators (presuming they want to) generate CSRs, or, given
>> the young nature of this pool, would it be OK to just grow organically?
> 
> I think we should leave the cert check in, _if_ you can ensure that
> you're sending SNI of "hkps.sks-keyservers.net", to retrieve the correct
> cert from the server.
> 
> Then let it grow, and note that this pool is only going to be usable
> with bug-fixed GnuPG.


Well, unless we adhere to the bug itself and remove the SRV record,
which isn't strictly necessary for the standard port.

-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
"Great things are not accomplished by those who yield to trends and fads
and popular opinion."
(Jack Kerouac)
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

signature.asc
Description: OpenPGP digital signature