Am I better off with a cert in most default trust stores, or am I better off with CAcert?
In my opinion, you're better off with a self-signed certificate, because you cannot trust the certificate authorities not to sign a fake certificate for use in a man-in-the-middle attack. Isn't this the point of using the OpenPGP trust model instead of the flawed X.509 trust model?
-oakwhiz.
On Thu, Oct 13, 2011 at 5:21 PM, Phil Benchoff
<address@hidden> wrote:
Some updates on keyserver.cns.vt.edu:
- Thanks to all who responded to my request for peers. I think I have added
everyone who responded.
- I changed both the v4 and v6 addresses today. I left both the old and
new addresses bound for several hours more than the DNS TTL and then
removed the old addresses. If you have some firewall rules or something
that are configured by address, they need to be updated. Let me know
if so and I won't assume DNS will take care of everything the next time.
Tcpdump didn't show any traffic on the old addresses.
- I'm using stunnel to provide SSL on both ports 11372 and 443. Right now
I'm using a CAcert certificate. I plan to change 443 to a cert that
is in the trust store of most browsers. The question is what to do with
11372. I'm guessing most people who use hkps probably have the CAcert
root configured as their trusted CA in gnupg. Am I better off with a
cert in most default trust stores, or am I better off with CAcert?
- I tried to add use_port_80: (no arguments) to sksconf, but the server
won't start and complains that an address is in use. Port 80 does not
appear to be in use for either the v4 or v6 address of the key server.
The host itself has a bunch of v4 and v6 addresses with port 80 in use
though. Are there any known issues with use_port_80? Does it use the
same address list as specified to hkp_address?
Thanks,
Phil
_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel