Re: [Sks-devel] redirect http to https?

[Jonathon Weiss]

Kristian Fiskerstrand <address@hidden> wrote:

> On 08/19/2014 11:39 PM, Jonathon Weiss wrote:
> > 
> > So, a user suggested that we should redirect all http connections
> > to https.  The user was clearly confused in a number of ways about
> > how the keyservers worked, and his specific examples of why it was
> > important were incorrect.  That said, there's clearly at least a
> > little value in pushing people toward encryption.
> > 
> > So, I was wondering.  Has anyone done this?  Are there concerns
> > about (non-browser) clients using hkp but not supporting re-directs
> > or hkps, who would then be unable to use our server?  I suppose I
> > could consider leaving port 11371 as is, but force re-directs on
> > port 80.  That would probably satisfy the clueless masses on the
> > internet, but would it eliminate any risk of breakage?
> 
> I do not think redirecting on port 11371 is appropriate as using HKPS
> require supplemental configuration and is not guaranteed to be
> supported out of the box by all implementations. iirc there have been
> plenty of issues e.g. for debian users without the gnupg-curl package
> (i.e using curl-shim rather than a full curl linkage). I do not have
> control over which other clients are used, in particular in automated
> environments, where I suspect the number of breakage would be highest
> and most difficult to deal with.

Thanks, that's roughly what I was thinking.

> For port 80 you can do what you want (but the server will disappear
> from the p80 sub-pool in such a case as it isn't actually serving
> content on port 80).

Hmmm, that makes sense, but hadn't occurred to me.  I'll have to mull
that over some, but suspect that I will decide I don't care if I'm in
the p80 pool.


        Jonathon

        Jonathon Weiss <address@hidden>
        MIT/IS&T/O&I  Server Operations