-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 As this is obviously referring to my post, I would like to clarify a few things in order to avoid further confusion/misunderstandings:
I never suggested to redirect http connections to https (you and Kristian already pointed the problems on the client-side out) and I never pushed people towards encryption. What I did was to setup my key server in order to offer hkps connections. I saw the other ongoing post related to protocols and cipher suites and wanted to learn how the others in the hkps pool realized their web server configurations. I used the mentioned web tool and saw that a smaller part of that pool had insecure and/or weak settings related to SSL. I posted a rough summary in order to help to improve or harden (or whatever you might say) the hkps service on these servers. As I'm very limited with regard to programming skills etc. I saw this as a chance to give back at least something small to the community. From my point of view, if a certain pool of key servers wants to offer hkps then it would be preferable if they would do it with "state-of-the-art" implementations, protocols and cipher suites. That was the intention of my post. Nothing more, nothing less. And regarding to the upcoming question related to thread models etc., Phil was so kind to write a comprehensive post worth reading, which increased (I guess not only) my understanding of the topic. Thank you for your time, Matthias Am 19.08.2014 23:39, schrieb Jonathon Weiss: > > So, a user suggested that we should redirect all http connections > to https. The user was clearly confused in a number of ways about > how the keyservers worked, and his specific examples of why it was > important were incorrect. That said, there's clearly at least a > little value in pushing people toward encryption. > > So, I was wondering. Has anyone done this? Are there concerns > about (non-browser) clients using hkp but not supporting re-directs > or hkps, who would then be unable to use our server? I suppose I > could consider leaving port 11371 as is, but force re-directs on > port 80. That would probably satisfy the clueless masses on the > internet, but would it eliminate any risk of breakage? > > Jonathon > > Jonathon Weiss <jwe...@mit.edu> MIT/IS&T/O&I Server Operations > > _______________________________________________ Sks-devel mailing > list Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iF4EAREIAAYFAlP1Ht8ACgkQk8eZk3b5umCHugD+K2+XkUAvrujorowLjq2g6sAX i4AFf1Sx4R0eyIjiK4oA/jqtil8hWbODqwGgqn2pgjXy3QcRSO01KhPifYalDJ01 =7nHY -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel