[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] sks-keyservers.net New HKPS subpool added
From: |
Phil Pennock |
Subject: |
Re: [Sks-devel] sks-keyservers.net New HKPS subpool added |
Date: |
Mon, 8 Oct 2012 13:09:10 -0700 |
On 2012-10-08 at 21:32 +0200, Kristian Fiskerstrand wrote:
> The certificate presented by keys2.kfwebs.net should be chained
> certificate containing both the CA itself and the individual cert for
> keys2.kfwebs.net. I'm not entirely sure that this is fully required, but
> at least it works for me :)
Right, that tests subjectAltName operation in TLS certificate
verification. That works.
Unless everyone else _replaces_ their certs with certs issued by you,
that in itself doesn't help: it means you become the only person who can
issue certs for any SKS keyserver's HTTPS interface.
The key is for other people to be able to issue _different_ certs based
on the serverNameIndication in the TLS client hello message; vhosting,
like the Host: header in HTTP, but moved up into the TLS handshake so
that the server can select the correct key/cert pair to use for the
session.
I'll go ahead and send you a CSR shortly, so that sks.spodhuis.org can
have two certs and we can test. :)
-Phil
pgpwUITE6vxHX.pgp
Description: PGP signature
- [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/05
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/05
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Daniel Kahn Gillmor, 2012/10/06
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Stephan Seitz, 2012/10/06
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/06
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added,
Phil Pennock <=
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Phil Pennock, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Stephan Seitz, 2012/10/08
- Re: [Sks-devel] sks-keyservers.net New HKPS subpool added, Kristian Fiskerstrand, 2012/10/08