[Sks-devel] Joining hkps.pool.sks-keyservers.net

2015-09-21 Thread William Hay 
So having acquired a whole bunch of peers for my keyserver I'm now thinking 
about adding hkps support and becoming part of hkps.pool.sks-servers.net.  I've 
got a couple of queries though. 
1.I'll probably want to share the port 443 with other sites.  Can one assume 
that SNI is supported by hkps clients or is there another mechanism recommended 
for hkps sharing a port? 

2.Presumably I need to create a CSR for hkps.pool.sks-servers.net rather than 
my own server name since that is what people will be trying to connect to.  Is 
there any preference with regard to SubjectAltName vs CommonName or both?  The 
modern practice seems to be to use SubjectAltName but backward compatibility 
seems to be an important part of the keyserver world.

3.Are there any conventions regarding what should go into other fields of the 
DN when creating one's CSR?

4.Assuming I want to turn on HSTS I presumably need to install and configure 
sslh to front port 443.  Anything else that might catch me out?

William


signature.asc
Description: Digital signature
___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel

Re: [Sks-devel] Joining hkps.pool.sks-keyservers.net

2015-09-21 Thread Kristian Fiskerstrand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 09/21/2015 06:02 PM, William Hay wrote:
> So having acquired a whole bunch of peers for my keyserver I'm now 
> thinking about adding hkps support and becoming part of 
> hkps.pool.sks-servers.net.  I've got a couple of queries though. 
> 1.I'll probably want to share the port 443 with other sites.  Can
> one assume that SNI is supported by hkps clients or is there
> another mechanism recommended for hkps sharing a port?

Yes, you can assume SNI

> 
> 2.Presumably I need to create a CSR for hkps.pool.sks-servers.net 
> rather than my own server name since that is what people will be

CN should be server name, the pool addresses are added as SANs

> trying to connect to.  Is there any preference with regard to 
> SubjectAltName vs CommonName or both?  The modern practice seems
> to

You add CN, I add the SANs when certifying

> be to use SubjectAltName but backward compatibility seems to be an 
> important part of the keyserver world.

Not for HKPS part, people should use up to date TLS libraries or
security is broken, but more practically it is the only way to support
using port 443 for most administrators that have shared services.
> 
> 3.Are there any conventions regarding what should go into other 
> fields of the DN when creating one's CSR?

I should probably know this by heart, but don't have the config file
around atm; to be safe include CN, O, ST, C

> 
> 4.Assuming I want to turn on HSTS I presumably need to install and 
> configure sslh to front port 443.  Anything else that might catch
> me out?
> 
> William
> 
> 
> 
> ___ Sks-devel mailing 
> list Sks-devel@nongnu.org 
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 


- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
"A ship is safe in harbour, but that's not what ships are for"
(Will Shedd)
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWAEN7AAoJECULev7WN52FE4QIAIqXg7H6LM3IiXTodiARuIaO
O/16lV2I8j0nRmOXI229gJ1OJ0hlqhHxj/nwcbG3pCsP6fEeABHPi5FV8TxSsfBg
Ps3/AHEKamn2rzdwEeCqUFKpH8akYXU4S2/z2p5UWPIJmV1D90LjEBuEt25XNlMq
1Tda+I4YQ0kAidmStvNaaQoTVEdB4NcbZVmidLEvkSWqomRg4kJuXY6RyzMueDhH
W7wz0ji+5oLzl2Rx6KsEcLGpeg1EHqIV3+/rPOJIipfJDrpti1+aSum4KIaA7sRh
lhF3nr9bgLqKvrrYHiaCyajjy8BwA+TjU8yAAkUOTQ6WAFmrkrPIZvQk5MwQbnY=
=G9w9
-END PGP SIGNATURE-

___
Sks-devel mailing list
Sks-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/sks-devel