On 10/08/2012 07:44 PM, Kristian Fiskerstrand wrote: > On 10/07/2012 03:18 AM, Phil Pennock wrote: >> On 2012-10-06 at 11:12 +0200, Stephan Seitz wrote: >>> I'ld like to add ssl to my server, but prior I'm afraid I need a few >>> questions answered. >>> If I'm going to install a self-signed *.pool.sks-keyservers.net, that >>> CRT wouldn't have any reputation. As long as there's no additional trust >>> added (e.g. via monkeysphere), one main purpose of certificates, the >>> knowledge of talking to the right server, isn't given. >> >> I think that self-signed is out. But if the pool server operator issues >> certs, given a CSR from you, then all certs are valid given a trust in >> the CA which is the pool server operator. >> >> If Kristian decides that he wants to take on this work, and figure out a >> safe way of managing key storage, then we can talk to the GnuPG folks >> about getting his private CA cert (created for this) shipped with GnuPG >> as an additional trust anchor. It doesn't need to be a system cert, >> just something which that application uses. >> > > Ok, I think I'm getting closer to having a working setup for a CA here > using subjectAltNames for hkps.pool.sks-keyservers.net > > The current CA cert is available at [0] and I only currently sign > https://keys.kfwebs.net:11375 and https://keys2.kfwebs.net. > > Anyone up for some testing? > > [0] https://sks-keyservers.net/sks-keyservers.netCA.pem >
Just FYI, I have then modified the scripts to only include servers that are signed with this CA in the pool. So the testing part would be to send me a CSR for the server by email, presumably using something in the form of openssl req -out CSR.csr -key privateKey.key -new No subjectAltName should be necessary for the CSR generation as this is added by me upon creating the certificate. -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Divide et impera Divide and govern ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
