On 10/08/2012 11:01 PM, Kristian Fiskerstrand wrote: > On 10/08/2012 10:49 PM, Phil Pennock wrote: >> On 2012-10-08 at 22:12 +0200, Kristian Fiskerstrand wrote: >>> Lovely! Must admit my setup is a tad more plain than that (just using >>> nginx in front of SKS) :) Will be interesting to see how that goes. >> >> Mine too. > > ... > >> >> So, assuming that GnuPG is also doing the right thing with SRV-based >> lookups, I think that the certificate side of things is working. >> > > At least that is a good thing in all this :) > >> Unfortunately, with an https: keyserver, GnuPG is sending a request for >> "/" instead of "/pks/lookup?..." :( >> >> If I do: >> % unbound-control local_data >> % _pgpkey-https._tcp.hkps.pool.sks-keyservers.net SRV 10 10 443 >> sks.spodhuis.org >> ok >> >> and specify "keyserver hkps://hkps.pool.sks-keyservers.net" in >> ~/.gnupg/gpg.conf, then I find that GnuPG has a security bug! >> >
Just a point I forgot in my latest email. I'm checking port 443 by default if there is no SRV record. So you should be able to just remove this in your setup. -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- "Great things are not accomplished by those who yield to trends and fads and popular opinion." (Jack Kerouac) ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
