[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] seeking peers for keyserver.durcheinandertal.ch
|
From: |
Kristian Fiskerstrand |
|
Subject: |
Re: [Sks-devel] seeking peers for keyserver.durcheinandertal.ch |
|
Date: |
Tue, 07 Sep 2010 18:40:54 +0200 |
|
User-agent: |
Thunderbird 2.0.0.12 (X11/20080305) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Kristian Fiskerstrand wrote, On 09/07/2010 05:19 PM:
> Gaudenz Steinlin wrote, On 09/07/2010 09:21 AM:
>> Excerpts from Phil Pennock's message of Die Sep 07 03:26:37 +0200 2010:
>>> On 2010-09-06 at 21:03 +0200, Gaudenz Steinlin wrote:
>>>> I would be interested to build up a pool of TLS enabled SKS servers
>>>> with others. To my knowledge there are currently only two other such
>>>> servers (zimmermann.mayfirst.org and keys.indymedia.org). The main
>>>> problem to solve for this is how to issue certificates for the servers
>>>> belonging to the pool. Do others have any ideas on this?
>>> This came up before. The client needs to support SNI and you need your
>>> web-server to support SNI, so that it can issue different certificates
>>> for different pools. Then each pool which issues certificates can issue
>>> one to each member of the pool and there is free competition between
>>> pools.
>> This sounds fairly complicated. I would be perfectly happy to just
>> have one pool for TLS as a starting point. This would not need any
>> SNI. Each servers hostname could be added as a subject alt name to the
>> pool certificate.
>
>> OTOH it seems that curl already supports SNI. Does this work together
>> with gnupg-curl?
>
>>> After that, you "just" sort out a CA, the software to build the pool and
>>> find a group of people willing to go along with each installing an extra
>>> certificate to be used when accessed via that pool's service
>>> hostname.
>> Is anyone willing to try to setup an experimental pool? Would it be
>> possible to setup tls.pool.sks-keyservers.net (or similar) for this or
>> should this be done outside of sks-keyservers.net during the
>> experimental phase?
>
> Good evening,
>
> I will add this to my todo-list and have a look at it as soon as time
> permits.
>
Just to get things moving I did a quick fix and whitelisted the 3
servers mentioned in this thread in a new sub-pool. Only the servers in
the whitelist that responded during the regular pool update and other
criterion (on regular 11371) is included in the TLS pool that is now
active at
;; ANSWER SECTION:
tls.pool.sks-keyservers.net. 28800 IN A 204.13.164.120
tls.pool.sks-keyservers.net. 28800 IN A 209.234.253.170
A whitelisting approach makes sense overall as we need a CA in such a
setup anyways, so manual interaction is unavoidable.
- --
- ----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
- ----------------------------
Dura necessitas
Necessity is harsh
- ----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this, visit:
http://www.secure-my-email.com
- ----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
iQIcBAEBCAAGBQJMhmsVAAoJEAt/i2Dj7frjZ7kQAJiKhSUD0WEoS+5pe5CVSCue
Fu9PPJ8h37xcdhAQllkCMdo3Zl35biYITmY6W9jpuPtZuwSfEDfuJ90JutG6EJKv
rMpmG0KVGJW+oM3FXDxBnJIKEGwIcka8ZDqHJvx9ML2we4iaYy99AmJ0Z+XXZ5vV
SLwqOCRo+4PCn4QL9rUzpmVfZpeGqIv1eASrEUea9lG+f2d0ymHcPxfsEaUfw17h
gdXTSFP6j9vunsJLxgrSaLbeHuH4AsPfEhrJTXwNotImTT5AhV+YPGItZ3nJuXWy
PC4kBkz41j8uLQpnodKZrafdqVvF4gO384Zz4Zmh/nYMeE7h90PbzBLb9RE6WRB1
Oo2P96vl7WmjKagQMrnqLe31dSaqCkyFgEj/TJ+1u79Is6RwR9ne+KfEFIicnMhw
gFIFj9rUYDo21vd//fBwpOOFzA0CrR+xabVPtPgNnv4FMz2YsWHPb2uqWG5vLjJl
POb9OJ8LUxva4o5zY9CQhsMdM0eqnX13izJ3v7SMn0aZ6xV9jY+TqxnWHFS5syWd
gYaXArKMI6AahHrN879KMkqgC4eeqF3XWInQ5gsnft1Y62W1ilaVcmy2OV4BIsrd
1RvPcsKtUrP8ETgzGg4mwbefqMcjQk/PiIwqmJBEplwsh/eH7AfVcVa7U3zdDJjT
f3D+DAFgS4h0THR44sl2
=7rcw
-----END PGP SIGNATURE-----