Re: [Sks-devel] Pools & HSTS header

2016-06-03 Thread Daniel Kahn Gillmor
On Fri 2016-06-03 10:49:57 -0400, Christoph Egger wrote: > William Hay writes: >> On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote: >>> Hi, >>> >>> I enforce HTTPS on all my domains by sending the HSTS header to my >>> visitors. HSTS forces the browser to use

Re: [Sks-devel] Pools & HSTS header

2016-06-03 Thread William Hay
On Fri, Jun 03, 2016 at 04:49:57PM +0200, Christoph Egger wrote: > Well. > > http://pool.sks-keyservers.net(:11371)? --redirect--> > https://keyserver.siccegge.de > > And if keyserver.siccegge.de present a valid certificate + HSTS would be > a problem no? (and potentially undetected if the

Re: [Sks-devel] Pools & HSTS header

2016-06-03 Thread Christoph Egger
William Hay writes: > On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote: >> Hi, >> >> I enforce HTTPS on all my domains by sending the HSTS header to my >> visitors. HSTS forces the browser to use in future only secure >> connections to this domain. More info

Re: [Sks-devel] Pools & HSTS header

2016-06-02 Thread William Hay
On Thu, May 26, 2016 at 12:47:57AM +0200, Valentin Sundermann wrote: > Hi, > > I enforce HTTPS on all my domains by sending the HSTS header to my > visitors. HSTS forces the browser to use in future only secure > connections to this domain. More info on Wikipedia[1] :) > Since my keyserver could

Re: [Sks-devel] Pools & HSTS header

2016-05-30 Thread Valentin Sundermann
Hi, > I wrote up how I have nginx configured to do HSTS while being in the pool. Yeah, of course this is possible. But I think the problem is, that there's no hint for keyserver operators that they should have a look at their configs. If just one keyserver sends a HSTS header for a pool domain

Re: [Sks-devel] Pools & HSTS header

2016-05-25 Thread Daniel Roesler
I wrote up how I have nginx configured to do HSTS while being in the pool. https://daylightpirates.org/index.html?posts/2016-05-25_hsts-hkps.md Daniel On Wed, May 25, 2016 at 3:47 PM, Valentin Sundermann wrote: > Hi, > > I enforce HTTPS on all my domains by sending the HSTS

[Sks-devel] Pools & HSTS header

2016-05-25 Thread Valentin Sundermann
Hi, I enforce HTTPS on all my domains by sending the HSTS header to my visitors. HSTS forces the browser to use in future only secure connections to this domain. More info on Wikipedia[1] :) Since my keyserver could be added to pools of keyservers without any notice to me. It could be possible