sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] sks-keyservers.net New HKPS subpool added

From: Kristian Fiskerstrand
Subject: Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
Date: Mon, 08 Oct 2012 20:12:00 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1 
On 10/08/2012 07:44 PM, Kristian Fiskerstrand wrote:
> On 10/07/2012 03:18 AM, Phil Pennock wrote:
>> On 2012-10-06 at 11:12 +0200, Stephan Seitz wrote:
>>> I'ld like to add ssl to my server, but prior I'm afraid I need a few
>>> questions answered.
>>> If I'm going to install a self-signed *.pool.sks-keyservers.net, that
>>> CRT wouldn't have any reputation. As long as there's no additional trust
>>> added (e.g. via monkeysphere), one main purpose of certificates, the
>>> knowledge of talking to the right server, isn't given.
>>
>> I think that self-signed is out.  But if the pool server operator issues
>> certs, given a CSR from you, then all certs are valid given a trust in
>> the CA which is the pool server operator.
>>
>> If Kristian decides that he wants to take on this work, and figure out a
>> safe way of managing key storage, then we can talk to the GnuPG folks
>> about getting his private CA cert (created for this) shipped with GnuPG
>> as an additional trust anchor.  It doesn't need to be a system cert,
>> just something which that application uses.
>>
> 
> Ok, I think I'm getting closer to having a working setup for a CA here
> using subjectAltNames for hkps.pool.sks-keyservers.net
> 
> The current CA cert is available at [0] and I only currently sign
> https://keys.kfwebs.net:11375 and https://keys2.kfwebs.net.
> 
> Anyone up for some testing?
> 
> [0] https://sks-keyservers.net/sks-keyservers.netCA.pem
> 

Just FYI, I have then modified the scripts to only include servers that
are signed with this CA in the pool. So the testing part would be to
send me a CSR for the server by email, presumably using something in the
form of

openssl req -out CSR.csr -key privateKey.key -new

No subjectAltName should be necessary for the CSR generation as this is
added by me upon creating the certificate.


-- 
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Divide et impera
Divide and govern
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]