Re: [Sks-devel] status page

[Simon Lange]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Am 18.04.2014 23:16, schrieb Phil Pennock:
> On 2014-04-18 at 20:24 +0200, Simon Lange wrote:
> >        the reason why a reverse proxy is "required" is, because some
> > require additional "security" at the nodes.
>
> False.
ehm. nope. thats is what ive been told when i asked y the reverse proxy. ;)
but good to know. :=)

> >                                                    yesterday i learned i
> > have to give up control who is using his domain with my services. :/
>
> False.  As long as you can find people who will peer with you, you do
> not need to be in any pools at all.

thats not the topic. and its rude btw.

>
> > currently for :80 i do accept all for ^(.*)pool.sks-keyservers.net and
>
> Note that Kristian's pool is considered well-run and is used as the
> target of CNAMEs by other people.  Most notably, `keys.gnupg.net` is a
> CNAME to `pool.sks-keyservers.net`.
>
> So if you only whitelist for a pattern which, when unbroken, is:
>
>  ^(?:.+\.)?pool\.sks-keyservers\.net
>
> then you've broken access by people using the default configuration of
> GnuPG.  Kristian doesn't want those people to experience a broken
> service, so you don't get listed.

and that is written where exactly? see? thats why i req techdoc?!
but keys.gnupg.net is already covered too. ;)

>
> Kristian _could_ decide to only support certain CNAMEs, then
> exhaustively test for all of those working, then going through the
> song-and-dance of de-listing most sites when he adds one more CNAME.
> Instead, he just says "to be listed in my pools, then on port 11371, all
> HTTP requests under `/pks/` should be passed to SKS, no matter what is
> in the Host: header".  This creates less stress, less bureaucracy, less
> of a culture of having to ask permission for every action.

allowing ALL is not a really good option. i already explained y. and a
page with techdoc which hostnames should be allowed is not much.
y using less procedure for pool reg than for gossip? whats the point
with this? because less bureaucracy? less stress?
i dont think its much stress and bureaucracy to tell ppl what hostnames
should be able to use the service.

>
> > domains using our services. its a matter of respect AND security. its an
> > optin feature not a optout.
>
> Absolutely: you don't need to be listed in a pool, there is no hard
> requirement for it.

right and you dont need to learn anything anymore since u know
everything. oh wait. ;)
try being less rude and try please to follow arguments.

>
> _I_ won't give away _my_ bandwidth for free to provide others with keys
> if they're not giving back to the community by being listed in public
> pools.  That's my choice, in not subsidising other peoples' businesses
> and hobbies from my own pocket more than I already do with my time on
> open source projects.

that just proved that you didnt understand anything i wrote. this is not
against good ppl. you dont protect your servers and your environment
against "good ppl". you protect it against "bad ppl". so hard to
understand?!
and exactly THATS WHY i dont allow fqdn like keys.npd.de to use my
keyserver. i dont support racist or inhuman parties/organizations. if
you dont care for your community. okay. but for ppl who do care, its a
maybe a problem to allow those ppl to advertise with services which are
not run by them.

all others are invited. gimme a short notice and i put them on. thats
the concept of optin. this is how you configure firewalls too. deny all
and tell whats allowed. in this case easy to do. thats why i really dont
unerstand ur attitude.


>
> That's okay.  You and I don't have to peer.  There is no one right way,

nobody talks about peering. m)

> no authority saying everyone must peer, no right to peering, no
> expectation that everyone agree.

m)

>
> You can probably find other people who will peer with you.

you dont get it. the topic is NOT peering. m)

>
> > (11371). there is absolutely no reason for a via (which may exposes the
> > used software)
>
> You don't need to expose full version, but revealing "Apache/2" provides
> enough for most debugging.  If revealing even that much makes you
> vulnerable, then you have bigger problems, because more intrusive
> platform fingerprinting by those of malicious intent will identify your
> platform anyway.

you are derailing the topic.

>
> > FQDNs to use that specifiy service. dont allow anyone except fqdn which
> > did ask before is far more secure. (e.g. i dont want any raccist website
> > to advertise with MY services under THEIR domain, but because i cannot
> > KNOW all such domains, its better to deny all and allow a few).
>
> Go ahead, use that policy.  Find others who agree, create pool
> definitions which tightly control which final hostnames can be used.

you repeating urself. try arguments and read.

>
> Kristian has made his pool software freely available for others to use:
>   https://code.google.com/p/sks-keyservers-pool/
> I have made my own pool software freely available for others to use:
>   https://github.com/philpennock/sks_spider
>
> You have two platforms available for you to run pools using whatever
> criteria you like.  Go for it.  Just don't expect anybody to take you
> seriously if you try telling us what criteria we are *allowed* to use
> for our own pools.

you really should learn reading and understanding. btw: "us"? i did
SUGGEST things. you may reread.


>
> > this is not a rant, but maybe sounds rude to some.
>
> It was a rant.  Your claiming otherwise did not make it not a rant and
it was not. but you didnt understood anyway. who cares at this point of
your rude mail.

> Thank you for making your keyserver usable by the pools.  I may
> strenuously disagree with your stance and your demands, but as long as
> you're providing a public service, I'm happy to continue peering with
> you.  If you change your mind about providing a public service which can
> be freely listed by anyone, please do let me now and I will remove your
> system from my peering membership list.

bullshit galore. congratz. :D you completely missed the topic the point,
everything.

>
> -Phil

*PLONK*

- -- 
________________________________________________________
Simon Lange Consulting  - Gaudystr. 6  - DE-10437 Berlin
Telefon: +49(0)30/89757206 Mobil: +49(0)151/22640160
- ----------------------------------------http://s-l-c.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
iQEcBAEBAgAGBQJTUcF8AAoJELCfvQa91QO+W6UIAKDKxKSiTSSVYA7gw1hBiRmL
vu8Mi3rh9/+rGE2SlisCcmW23SznE2Uzmkpxc/hA3W+M67U6bUd6gLJEmNpc4R01
OGFZC+ohLVhIYJFBCeWdtKjrsnIVxw5SvRPoZlDhN7XNRtgpskWU4fLwGxbNrwt0
2T+i//37svHGan0vp+TI028izxbqi01sRk+MNTLg5sAHBvueOucY/OygLvqgIqXE
Sz4O7rMd44IQ6roQO3o6o+pocOZ7mdJR6o2gu8n+f2UboKLwtE5UbeHdsbjTli4O
o/DZNzL22C0WWE2tAmshrHibaFEgingUbr3Y+5w9OrT6W0rUW4Z7YWMRDNcCwb4=
=2RxF
-----END PGP SIGNATURE-----