Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

[dirk astrath]

Hello,

> fist of all CACert is total crap. They have been removed from the linux
> distributions they were (falsely) included in and no browser ever
> trusted them because they can't seem to pass the security audits. I
> realize this comment will probably cause me a lot of ranting but it has
> to be said that having certficates signed by CACert is no better then
> signing them yourself.

We could now start a flame-war against CAcert and/or PGP, for or against 
different styles of Web-Of-Trust, for or against different tools to be 
installed to use the this Web-Of-Trust or inclusion in mail- or 
webclients/browsers/distributions ... or not.

But we should not do it here ... ;-)

(NB: There is a difference between selfsigned and CAcert ... see below)

> Just use Let's Encrypt certificates. They are short lived certificates
> and through the dns-01 challenge you will stay in control as you can
(..)
> That way you can drastically increase the amount of servers included in
> the hkps pool while decreasing your workload and and having a huge plus
> in security and trust through the validatable certificates.

Using LE (or any other being-in-the-browser-CA) will not easily be possible.

For your Keyserver you can use a Certificate issues by any CA as long as 
it should not contain one of the pool names. On my server I decided to 
use Let's Encrypt.

To contain one (or more) of the pool names the certificate has to be 
issued (or provided) by the owner of this domain (in this case Kristian).

But ...

Kristian will not hand over the private key for a pool-certificate to 
anybody. If he would nearly "anybody" would be able to get the private 
key and CA-signed certificate (as it's outside of Kristians control) 
... which would not strengthen the security of a pool-certificate.

Another way is setting up a CA by Kristian especially for this purpose 
to create certificates only for keyserver-pool-names (and your 
servername). Unfortunately this local CA is in the same status as your 
self-signed certificate or CAcert: Not included in any mail-clients or 
browsers.

But ...

This special "Kristian-CA"-case has advantages even without being in the 
mail-clients/browsers:

The software to be used to "ask" the keyserver-pools can contain the 
root-certificate of this CA ...

... and ... signing your webserver-key by "Kristian-CA" will show 
others, that your server is a trusted server of the keyserver-pool (a 
status you will not get by using a self-signed certificate).

Kind regards,

dirk