[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]
From: |
dirk astrath |
Subject: |
Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?] |
Date: |
Sun, 14 Jan 2018 09:27:05 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
Hello,
fist of all CACert is total crap. They have been removed from the linux
distributions they were (falsely) included in and no browser ever
trusted them because they can't seem to pass the security audits. I
realize this comment will probably cause me a lot of ranting but it has
to be said that having certficates signed by CACert is no better then
signing them yourself.
We could now start a flame-war against CAcert and/or PGP, for or against
different styles of Web-Of-Trust, for or against different tools to be
installed to use the this Web-Of-Trust or inclusion in mail- or
webclients/browsers/distributions ... or not.
But we should not do it here ... ;-)
(NB: There is a difference between selfsigned and CAcert ... see below)
Just use Let's Encrypt certificates. They are short lived certificates
and through the dns-01 challenge you will stay in control as you can
(..)
That way you can drastically increase the amount of servers included in
the hkps pool while decreasing your workload and and having a huge plus
in security and trust through the validatable certificates.
Using LE (or any other being-in-the-browser-CA) will not easily be possible.
For your Keyserver you can use a Certificate issues by any CA as long as
it should not contain one of the pool names. On my server I decided to
use Let's Encrypt.
To contain one (or more) of the pool names the certificate has to be
issued (or provided) by the owner of this domain (in this case Kristian).
But ...
Kristian will not hand over the private key for a pool-certificate to
anybody. If he would nearly "anybody" would be able to get the private
key and CA-signed certificate (as it's outside of Kristians control)
... which would not strengthen the security of a pool-certificate.
Another way is setting up a CA by Kristian especially for this purpose
to create certificates only for keyserver-pool-names (and your
servername). Unfortunately this local CA is in the same status as your
self-signed certificate or CAcert: Not included in any mail-clients or
browsers.
But ...
This special "Kristian-CA"-case has advantages even without being in the
mail-clients/browsers:
The software to be used to "ask" the keyserver-pools can contain the
root-certificate of this CA ...
... and ... signing your webserver-key by "Kristian-CA" will show
others, that your server is a trusted server of the keyserver-pool (a
status you will not get by using a self-signed certificate).
Kind regards,
dirk
- Re: [Sks-devel] Underserved areas?, (continued)
- Re: [Sks-devel] Underserved areas?, Timothy A. Holtzen, 2018/01/11
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Alain Wolf, 2018/01/11
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Alain Wolf, 2018/01/11
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Daniel Kahn Gillmor, 2018/01/11
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Moritz Wirth, 2018/01/11
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Kristian Fiskerstrand, 2018/01/11
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], dirk astrath, 2018/01/13
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Heiko Richter, 2018/01/14
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?],
dirk astrath <=
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Heiko Richter, 2018/01/14
- [Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved areas?], Heiko Richter, 2018/01/14
- Re: [Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved areas?], dirk astrath, 2018/01/14
- Re: [Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved areas?], Moritz Wirth, 2018/01/14
- Re: [Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved areas?], Heiko Richter, 2018/01/14
- Re: [Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved areas?], Moritz Wirth, 2018/01/14
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Gabor Kiss, 2018/01/14
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Heiko Richter, 2018/01/14
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Kristian Fiskerstrand, 2018/01/14
- Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?], Heiko Richter, 2018/01/14