[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] ECC HTTPS certs for HKPS
|
From: |
Phil Pennock |
|
Subject: |
[Sks-devel] ECC HTTPS certs for HKPS |
|
Date: |
Fri, 31 Mar 2017 17:40:25 -0400 |
Folks,
Is anyone interested in testing client/tooling interop with an HKP
keyserver (SKS) which has ECC keys/certs in front of it? I need to
renew my sks-keyservers cert within the next month and when I asked
Kristian last year, dual-stack was to-be-investigated, so I figure I
should investigate a little now.
Hostname below.
Certs are from my private CAs because dual-stack is a pain with the free
CAs I know of and I'm not spending $$ on this experiment. :)
Tested with GnuPG 2.1.19 on three OSes and works fine. The key is going
to depend upon the TLS support of the OpenPGP client; for sufficiently
recent GnuPG, I _think_ that's normally GnuTLS, although ntbtls might
sometimes be used? What other HKP-speaking OpenPGP clients are folks
using? What about other tooling, for admin work? Does anything break
with dual-chain RSA/ECC?
* Linux GnuPG=2.1.19 GnuTLS=3.4.17 works
* FreeBSD GnuPG=2.1.19 GnuTLS=3.5.9 works
* macOS GnuPG=2.1.19 GnuTLS=3.5.10 works
... which pretty much just tells me that modern GnuTLS handles ECC just
fine. I'd like reports from older libraries, and other OpenPGP clients,
please?
CA roots available, with PGP detached signatures, from:
https://www.security.spodhuis.org/
and you minimally need the `globnixCA5` root for ECC.
The keyserver is my usual keyserver, just accessed under some different
hostnames.
* hkps://keyserver-ecc-nist.spodhuis.org
* (currently the same: hkps://keyserver-ecc.spodhuis.org )
* hkps://keyserver.spodhuis.org
The keyserver.spodhuis.org setup is dual-stack with RSA and ECDSA both.
(RSA cert from `globnixCA4`).
That dual-RSA/ECC hostname also has SRV records which GnuPG 2.1.19 both
uses and unfortunately caches the ports cross-scheme, so if you
accidentally use hkp:// or schema-less access and then try hkps://
you'll get errors because of the GnuPG bug. `gpgconf --kill dirmngr` is
the easiest way to nuke it and let it be restarted with a clean slate.
(At some point in the future, "keyserver-ecc" will be dual NIST/X25519
certs, which is why it exists now; the X25519-in-TLS draft is AIUI
nearing publication as an RFC).
With GnuPG, the CA PEM needs to be included in the file named in the
`hkp-cacert` configuration option, in ~/.gnupg/dirmngr.conf for newer
GnuPG or ~/.gnupg/gpg.conf for older GnuPG and then used with:
gpg --keyserver hkps://keyserver-ecc.spodhuis.org --recv-key
0x4D1E900E14C1CC04
Thanks,
-Phil
signature.asc
Description: Digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Sks-devel] ECC HTTPS certs for HKPS,
Phil Pennock <=