Re: [Sks-devel] hkps (was Re: resyncing server)

[Phil Pennock]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On 2013-02-06 at 08:55 +0100, Moritz Rudert (helios) wrote:
> Seems to be fixed and we're listed again in the reliable pool.
> We're running the nginx proxy on port 443 too but on the page hkps is
> red. What did I wrong?

You need to read the description on:
  http://www.sks-keyservers.net/overview-of-pools.php

Notably: the https://sks-keyservers.net/status/ page is not a general
purpose "your server is healthy" check, although it has a side-effect of
being useful for that in many cases.  It's a check on whether or not the
server is fit to be included in the pools.

Certificates have to be verified to be useful.  So for the
"hkps.pool.sks-keyservers.net" case, that is the name that needs to be
in the certificate.  If a normal certificate authority will grant you a
cert for that, then they're doing something very wrong and they should
be blacklisted.

Instead, we rely upon any hkps client sending ServerNameIndication; any
release which actually both supports hkps and verifies certificates
should do so; some old setups won't, but so many things will break for
them these days that they're just not worth worrying about.

So you can serve up multiple hostnames, each with their own TLS key/cert
combination, and one of those hostnames can be the pool one, and
Kristian can issue you a cert for that from his private CA used for this
pool.

Those who want to actually verify the connections can use the pool name
and get the CA cert for signing those pools, verify the PGP signature
and put it in their client config as a trust anchor.

And you can do the same for any other hostname, so there's no
exclusivity here.

- -Phil
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAlESEUAACgkQQDBDFTkDY38rwQCgjmnaJf/JGkgEDIvmelVOOvuo
DIoAnRT+D4MszhbB8DdG1T0Fih4QlPgm
=eEm4
-----END PGP SIGNATURE-----