[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] seeking peers for keyserver.durcheinandertal.ch
|
From: |
David Shaw |
|
Subject: |
Re: [Sks-devel] seeking peers for keyserver.durcheinandertal.ch |
|
Date: |
Tue, 7 Sep 2010 11:01:14 -0400 |
On Sep 7, 2010, at 3:21 AM, Gaudenz Steinlin wrote:
> Excerpts from Phil Pennock's message of Die Sep 07 03:26:37 +0200 2010:
>> On 2010-09-06 at 21:03 +0200, Gaudenz Steinlin wrote:
>>> I would be interested to build up a pool of TLS enabled SKS servers
>>> with others. To my knowledge there are currently only two other such
>>> servers (zimmermann.mayfirst.org and keys.indymedia.org). The main
>>> problem to solve for this is how to issue certificates for the servers
>>> belonging to the pool. Do others have any ideas on this?
>>
>> This came up before. The client needs to support SNI and you need your
>> web-server to support SNI, so that it can issue different certificates
>> for different pools. Then each pool which issues certificates can issue
>> one to each member of the pool and there is free competition between
>> pools.
>
> This sounds fairly complicated. I would be perfectly happy to just
> have one pool for TLS as a starting point. This would not need any
> SNI. Each servers hostname could be added as a subject alt name to the
> pool certificate.
>
> OTOH it seems that curl already supports SNI. Does this work together
> with gnupg-curl?
If libcurl and whatever underlying SSL library it is built with both support
SNI, then the hkps code in GnuPG supports SNI. Those are two ifs, though.
David