Re: [Sks-devel] seeking peers for keyserver.durcheinandertal.ch

[Gaudenz Steinlin]

Excerpts from Phil Pennock's message of Die Sep 07 03:26:37 +0200 2010:
> On 2010-09-06 at 21:03 +0200, Gaudenz Steinlin wrote:
> > I would be interested to build up a pool of TLS enabled SKS servers
> > with others. To my knowledge there are currently only two other such
> > servers (zimmermann.mayfirst.org and keys.indymedia.org). The main
> > problem to solve for this is how to issue certificates for the servers
> > belonging to the pool. Do others have any ideas on this? 
> 
> This came up before.  The client needs to support SNI and you need your
> web-server to support SNI, so that it can issue different certificates
> for different pools.  Then each pool which issues certificates can issue
> one to each member of the pool and there is free competition between
> pools.

This sounds fairly complicated. I would be perfectly happy to just
have one pool for TLS as a starting point. This would not need any
SNI. Each servers hostname could be added as a subject alt name to the
pool certificate. 

OTOH it seems that curl already supports SNI. Does this work together
with gnupg-curl?

> 
> After that, you "just" sort out a CA, the software to build the pool and
> find a group of people willing to go along with each installing an extra
> certificate to be used when accessed via that pool's service
> hostname.

Is anyone willing to try to setup an experimental pool? Would it be
possible to setup tls.pool.sks-keyservers.net (or similar) for this or
should this be done outside of sks-keyservers.net during the
experimental phase?

> 
> > To use hkps with gnupg you need to build gnupg with libcurl support.
> > On Debian systems this is included in the gnupg-curl package.
> > 
> > I'm currently missing a index.html file for my server. I noticed that
> > most servers use the same template. Is this available somewhere for
> > download? 
> 
> In general, it's just a static HTML page which references a form, which
> uses URLs that reference the SKS server.  I wrote my own, referencing
> the source to find a couple of options commonly missed.  Feel free to
> grab http://sks.spodhuis.org/index.html -- I've no idea about the rest;
> I'd assumed that Debian packaged one, but I see I was wrong.
> 
> You probably want an index page, a favicon and a robots.txt file.  The
> last is especially convenient if you're proxying ports 80/443 onto SKS,
> as you appear to be doing.  Since any pool-name will resolve to multiple
> servers, not just yours, if you're going to serve on ports 80/443 please
> *PLEASE* include a robots.txt to keep search crawlers from trying to
> spider the entire web of trust.
> 
> ---------------------------8< robots.txt >8-----------------------------
> User-agent: *
> Disallow: /pks/
> ----------------------------8< cut here
> >8------------------------------

I added the robots.txt file. Will a basic HTML form later today.

> 
> > Please contact me directly if you are willing to peer. You won't be
> > able to connect to port 11370 until your ip is whitelisted in my
> > firewall rules. The usual hkp client port is open for everyone.
> 
> You don't mention if you're *only* willing to peer with people who offer
> hkps: access, or with anyone?

I'm willing to peer with anyone. AFAIK peering over TLS is not
supported yet. So I don't see any advantage in just peering with hkps
servers. Also the set of hkps servers is probably too small to have a
reliable network.

Gaudenz
--
Ever tried. Ever failed. No matter.
Try again. Fail again. Fail better.
~ Samuel Beckett ~

signature.asc
Description: PGP signature