On 10/07/2012 03:18 AM, Phil Pennock wrote: > On 2012-10-06 at 11:12 +0200, Stephan Seitz wrote: >> I'ld like to add ssl to my server, but prior I'm afraid I need a few >> questions answered. >> If I'm going to install a self-signed *.pool.sks-keyservers.net, that >> CRT wouldn't have any reputation. As long as there's no additional trust >> added (e.g. via monkeysphere), one main purpose of certificates, the >> knowledge of talking to the right server, isn't given. > > I think that self-signed is out. But if the pool server operator issues > certs, given a CSR from you, then all certs are valid given a trust in > the CA which is the pool server operator. > > If Kristian decides that he wants to take on this work, and figure out a > safe way of managing key storage, then we can talk to the GnuPG folks > about getting his private CA cert (created for this) shipped with GnuPG > as an additional trust anchor. It doesn't need to be a system cert, > just something which that application uses. >
Ok, I think I'm getting closer to having a working setup for a CA here using subjectAltNames for hkps.pool.sks-keyservers.net The current CA cert is available at [0] and I only currently sign https://keys.kfwebs.net:11375 and https://keys2.kfwebs.net. Anyone up for some testing? [0] https://sks-keyservers.net/sks-keyservers.netCA.pem -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Nulla regula sine exceptione No rule without exception ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
