Re: [Sks-devel] status page

[Arnold]

Hi list,

Trying to be a bit more on-topic again...

On 04/18/2014 10:42 PM, Simon Lange wrote:
> Am 18.04.2014 22:10, schrieb Martin Papik:
>> Answering ALL host names just makes you willing to participate in any
>> pool by default, without extra maintenance. But again, AFAIK this
>> isn't a requirement. Am I misinformed?
> 
> https://twitter.com/krifisk/status/456717051340791808
> "With a HTTP Host header not belonging to the specific hostname? Note
> the -H 'Host.....' , 11371 should allow ALL traffic through"

I figured this is because of the following.

HTTP is a unique protocol in that it allows the client to provide the hostname 
of
the host it is communicating to (basically it is a selection parameter a client 
can
provide, regardless of the hostname it resolved, for servers hosting several
websites). Other protocols, like SMTP, NTP, etc. just listen at a given IP/port
that the client 'somehow' manages to obtain. THAT is how most of the internet 
works.

I have not looked into it but I am not even sure HTTP requires the 'HOST' header
field to be present in requests. AFAIK it was not sent in the early days.

The key exchange protocol HKP is not an RFC standard. AFAIK it is best 
specified in
http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00
It does not mention the 'HOST' field, so I guess openGPG implementations using 
HKP
are not required to provide a (valid) HOST. Note that HKP is a protocol by 
itself
(P in HKP), just reusing some of HTTP.

People implementing HKP for small devices (Android, iOS, embedded systems, etc.)
may omit sending the HOST, although they may be using our pool domain.

Therefore, we (people in the pool) can make no assumptions on the value of the
'HOST' parameter. Therefore, it is good practice (if being part of the pool) to
respond to all clients connecting to port 11371.
And therefore, I don't provide the HKP-service at port 80 over IPv4. My choice 
:-)


>> How would bad people benefit from your key-server responding to
>> http://very.bad.com:11731/ anyway?
> 
> "bad ppl" could pretend offering a public service using my machines they
> dont own nor they administre nor they run. my machines would support
> that passivly. think this is easy to understand. and also has some legal
> implications.

No, although it might give you trouble explaining to legal people how DNS and 
the
internet works... It is just not in your hands what IP's other people put in 
their
DNS. People who associate you with the owners of 'unwanted domain' simply don't
understand the internet.

I understand there might be situations that can make you feel uncomfortable,
especially when serving a website. However, among the millions of keys we 
serve, I
am sure there are keys of people that I don't want to be associated with.
Therefore, I try to be associated with 'undiscriminating' key server 
administrators
and hope this outweighs possible negative associations :-)

To me, it is even better if Mr(s) Bad points his/her own domain/DNS to my key
server to get his/her key, than prominently being listed with my own domain 
name on
the website of Mr(s) Bad. That would even result in a google-association...


Off-topic
As a side note: curious how easily some discussions on this list go into 
extremes,
followed by getting personal and people getting hurt. Usually that kind of 
emotions
is a sign of dedication to the subject, making it even more painful...

As I am open to every client connecting (though rate limited), I am also open 
for
peering with every SKS operator. Just send me your info off-list and I'll send 
you
mine.

Just my € 0,02

Arnold