Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

[Heiko Richter]

Hi,

fist of all CACert is total crap. They have been removed from the linux
distributions they were (falsely) included in and no browser ever
trusted them because they can't seem to pass the security audits. I
realize this comment will probably cause me a lot of ranting but it has
to be said that having certficates signed by CACert is no better then
signing them yourself.

Just use Let's Encrypt certificates. They are short lived certificates
and through the dns-01 challenge you will stay in control as you can
decide wether or not to publish a server's authentication token in the
dns zone or not. Furthermore you will receive "real" certificates where
the admins could add the pool hostname along with their own site
specific hostname into on certificates that is trusted by practically
all browsers and operating systems. If you want to kick somebody out you
just delete their token and their ip address from the dns zone so they
won't be able included in the pool and won't be able to renew their
shortlived-certificate. Furthermore you can first add the token and then
do some kind of automation to check if they have a valid certificate
before including them in the pool so you only need to manage the dns-01
authentication tokens.

That way you can drastically increase the amount of servers included in
the hkps pool while decreasing your workload and and having a huge plus
in security and trust through the validatable certificates.

Heiko

PS: On December 22nd you wanted to sign the certificate for my server.
Is there an update on that?


Am 13.01.2018 um 21:10 schrieb dirk astrath:
> Hi Kristian,
>
>> A misissued cert could still be used if attacker is persistent
>> enough. Either through dns poision or other attack vectors.
>> And yes, I only issue certs to servers I recognize to have been in
>> the pool for a while and operator should be in the openpgp wot
>> strong-set.
>
> Maybe it's wise if give some more details to the *.csr-file ... as you
> will not sign certificate requests containing
> unneeded/unverifyable/... information.
>
> (Well ... at CAcert site we remove all data we couldn't verify from
> CSR and create the certificate only with the details we're able to
> verify ... this could be a possibility for you, too.).
>
> And ... (remembering a discussion we had at Fosdem last year):
>
> Maybe you give some dates like (please provide CSR-requests before
> 2018-xx-01), so there will only some special days per year for your to
> sign a bunch of requests instead of getting the requests all over the
> year ...
>
> Kind regards,
>
> dirk
>
> PS: Which reminds me, that i wanted to send you updated CSRs ... ;-)
>
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc
Description: OpenPGP digital signature