[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] seeking peers for

From: Kristian Fiskerstrand
Subject: Re: [Sks-devel] seeking peers for
Date: Tue, 07 Sep 2010 18:40:54 +0200
User-agent: Thunderbird (X11/20080305)

Hash: SHA256

Kristian Fiskerstrand wrote, On 09/07/2010 05:19 PM:
> Gaudenz Steinlin wrote, On 09/07/2010 09:21 AM:
>> Excerpts from Phil Pennock's message of Die Sep 07 03:26:37 +0200 2010:
>>> On 2010-09-06 at 21:03 +0200, Gaudenz Steinlin wrote:
>>>> I would be interested to build up a pool of TLS enabled SKS servers
>>>> with others. To my knowledge there are currently only two other such
>>>> servers ( and The main
>>>> problem to solve for this is how to issue certificates for the servers
>>>> belonging to the pool. Do others have any ideas on this? 
>>> This came up before.  The client needs to support SNI and you need your
>>> web-server to support SNI, so that it can issue different certificates
>>> for different pools.  Then each pool which issues certificates can issue
>>> one to each member of the pool and there is free competition between
>>> pools.
>> This sounds fairly complicated. I would be perfectly happy to just
>> have one pool for TLS as a starting point. This would not need any
>> SNI. Each servers hostname could be added as a subject alt name to the
>> pool certificate. 
>> OTOH it seems that curl already supports SNI. Does this work together
>> with gnupg-curl?
>>> After that, you "just" sort out a CA, the software to build the pool and
>>> find a group of people willing to go along with each installing an extra
>>> certificate to be used when accessed via that pool's service
>>> hostname.
>> Is anyone willing to try to setup an experimental pool? Would it be
>> possible to setup (or similar) for this or
>> should this be done outside of during the
>> experimental phase?
> Good evening,
> I will add this to my todo-list and have a look at it as soon as time
> permits.

Just to get things moving I did a quick fix and whitelisted the 3
servers mentioned in this thread in a new sub-pool. Only the servers in
the whitelist that responded during the regular pool update and other
criterion (on regular 11371) is included in the TLS pool that is now
active at

;; ANSWER SECTION: 28800 IN   A 28800 IN   A

A whitelisting approach makes sense overall as we need a CA in such a
setup anyways, so manual interaction is unavoidable.

- --
- ----------------------------
Kristian Fiskerstrand
- ----------------------------
Dura necessitas
Necessity is harsh
- ----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this, visit:
- ----------------------------
Public PGP key 0xE3EDFAE3 at
Version: GnuPG v2.0.10 (GNU/Linux)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]