sks-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] seeking peers for keyserver.durcheinandertal.ch


From: Phil Pennock
Subject: Re: [Sks-devel] seeking peers for keyserver.durcheinandertal.ch
Date: Mon, 6 Sep 2010 21:26:37 -0400

On 2010-09-06 at 21:03 +0200, Gaudenz Steinlin wrote:
> I would be interested to build up a pool of TLS enabled SKS servers
> with others. To my knowledge there are currently only two other such
> servers (zimmermann.mayfirst.org and keys.indymedia.org). The main
> problem to solve for this is how to issue certificates for the servers
> belonging to the pool. Do others have any ideas on this? 

This came up before.  The client needs to support SNI and you need your
web-server to support SNI, so that it can issue different certificates
for different pools.  Then each pool which issues certificates can issue
one to each member of the pool and there is free competition between
pools.

After that, you "just" sort out a CA, the software to build the pool and
find a group of people willing to go along with each installing an extra
certificate to be used when accessed via that pool's service hostname.

> To use hkps with gnupg you need to build gnupg with libcurl support.
> On Debian systems this is included in the gnupg-curl package.
> 
> I'm currently missing a index.html file for my server. I noticed that
> most servers use the same template. Is this available somewhere for
> download? 

In general, it's just a static HTML page which references a form, which
uses URLs that reference the SKS server.  I wrote my own, referencing
the source to find a couple of options commonly missed.  Feel free to
grab http://sks.spodhuis.org/index.html -- I've no idea about the rest;
I'd assumed that Debian packaged one, but I see I was wrong.

You probably want an index page, a favicon and a robots.txt file.  The
last is especially convenient if you're proxying ports 80/443 onto SKS,
as you appear to be doing.  Since any pool-name will resolve to multiple
servers, not just yours, if you're going to serve on ports 80/443 please
*PLEASE* include a robots.txt to keep search crawlers from trying to
spider the entire web of trust.

---------------------------8< robots.txt >8-----------------------------
User-agent: *
Disallow: /pks/
----------------------------8< cut here >8------------------------------

> Please contact me directly if you are willing to peer. You won't be
> able to connect to port 11370 until your ip is whitelisted in my
> firewall rules. The usual hkp client port is open for everyone.

You don't mention if you're *only* willing to peer with people who offer
hkps: access, or with anyone?

-Phil

Attachment: pgphl7Q67dZFM.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]