[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
|
From: |
Kristian Fiskerstrand |
|
Subject: |
Re: [Sks-devel] sks-keyservers.net New HKPS subpool added |
|
Date: |
Mon, 08 Oct 2012 23:36:15 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1 |
On 10/08/2012 11:32 PM, Stephan Seitz wrote:
>
>
> Am Montag, den 08.10.2012, 23:09 +0200 schrieb Kristian Fiskerstrand:
>
>>>
>>>> I already use namebased vhosts (thank's for your explanation of TLS,
>>>> phil), so I could configure two proxies which are identical despite the
>>>> hostname and the certificates. That way, I would use two different
>>>> keys / crts without the need for subjectAltName.
>>>>
>>>
>>> Again, yup
>>>
>>
>> Agreed too quickly there, you'll still need to generate a new CSR from
>> your private key that I can sign, where I'll add a subjectAltName, but
>> in that setup only the subjectAltName will ever be used, as the primary
>> host will be handled by your setup and different cert.
>
> Ah, I see. So I'm going to send you a csr in a few minutes ;)
>
> Just to get it right,
> dig +short A hkps.pool.sks-keyservers.net
> shows some pool IP's, tho the expected servername is
> hkps.pool.sks-keyservers.net
>
> dig +short srv _pgpkey-https._tcp.hkps.pool.sks-keyservers.net
> shows redirections to other servers, so clients doing a srv query are
> expecting the redirected hostname.
Yeah, I've just removed the SRV records from the pool until the two
bugs[0, 1] for SRV are fixed. As the port number in the SRV record isn't
used anyways [0], and I'm not doing any SRV weighting, having this
record isn't much use.
[0] https://bugs.g10code.com/gnupg/issue1446
[1] https://bugs.g10code.com/gnupg/issue1447
--
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
"Great things are not accomplished by those who yield to trends and fads
and popular opinion."
(Jack Kerouac)
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
signature.asc
Description: OpenPGP digital signature
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, (continued)
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Stephan Seitz, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Stephan Seitz, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added,
Kristian Fiskerstrand <=
Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/06