[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] redirect http to https?
From: |
Jonathon Weiss |
Subject: |
Re: [Sks-devel] redirect http to https? |
Date: |
Thu, 21 Aug 2014 16:34:09 -0400 |
Kristian Fiskerstrand <address@hidden> wrote:
> On 08/19/2014 11:39 PM, Jonathon Weiss wrote:
> >
> > So, a user suggested that we should redirect all http connections
> > to https. The user was clearly confused in a number of ways about
> > how the keyservers worked, and his specific examples of why it was
> > important were incorrect. That said, there's clearly at least a
> > little value in pushing people toward encryption.
> >
> > So, I was wondering. Has anyone done this? Are there concerns
> > about (non-browser) clients using hkp but not supporting re-directs
> > or hkps, who would then be unable to use our server? I suppose I
> > could consider leaving port 11371 as is, but force re-directs on
> > port 80. That would probably satisfy the clueless masses on the
> > internet, but would it eliminate any risk of breakage?
>
> I do not think redirecting on port 11371 is appropriate as using HKPS
> require supplemental configuration and is not guaranteed to be
> supported out of the box by all implementations. iirc there have been
> plenty of issues e.g. for debian users without the gnupg-curl package
> (i.e using curl-shim rather than a full curl linkage). I do not have
> control over which other clients are used, in particular in automated
> environments, where I suspect the number of breakage would be highest
> and most difficult to deal with.
Thanks, that's roughly what I was thinking.
> For port 80 you can do what you want (but the server will disappear
> from the p80 sub-pool in such a case as it isn't actually serving
> content on port 80).
Hmmm, that makes sense, but hadn't occurred to me. I'll have to mull
that over some, but suspect that I will decide I don't care if I'm in
the p80 pool.
Jonathon
Jonathon Weiss <address@hidden>
MIT/IS&T/O&I Server Operations