Re: [Sks-devel] ECC HTTPS certs for HKPS

[Pete Stephenson]

On Sat, Apr 1, 2017 at 3:47 AM, Daniel Kahn Gillmor
<address@hidden> wrote:
> On Fri 2017-03-31 16:40:25 -0500, Phil Pennock wrote:
>> Is anyone interested in testing client/tooling interop with an HKP
>> keyserver (SKS) which has ECC keys/certs in front of it?  I need to
>> renew my sks-keyservers cert within the next month and when I asked
>> Kristian last year, dual-stack was to-be-investigated, so I figure I
>> should investigate a little now.
>
> thanks for doing this testing, Phil.  Can you clarify what you mean by
> "dual-stack" ?  do you mean "offering both RSA and ECC certs" or
> something else?

I've asked Kristian about running a dual-stack (in Daniel's
definition) ECC & RSA server. So far, no dice.

In theory, it shouldn't have any issues with legacy setups, since the
server and client sends a list of supported ciphersuites in the
ClientHello message, so the server would know if the client supports
ECC and/or RSA before presenting the appropriate certificate. However,
the difference between theory and practice is that in theory, there is
no difference.

It'd certainly be interesting to try it out in production for a bit to
see how clients handle it, particularly if it'd be possible to log
error states or abandoned connections before and after offering both
types of certs.

Cheers!
-Pete




-- 
Pete Stephenson