Hi, I enforce HTTPS on all my domains by sending the HSTS header to my visitors. HSTS forces the browser to use in future only secure connections to this domain. More info on Wikipedia[1] :) Since my keyserver could be added to pools of keyservers without any notice to me. It could be possible that some servers will send these kind of headers on pool domains too. HSTS has a feature which adds a domain to a list of sites (see [2]) which is preloaded in the browsers source code. Especially with this feature servers could instruct browsers to only use HTTPS on a pool domain which would obviously cause some problems with other servers that don't support HTTPS. After all some browser (which experienced HSTS header) could lose their connectivity to many other servers. This is either only a temporary issue (there's a timespan in the header for how long HTTPS is enforced) or with a pool on a preload list, this could destroy the domain name irrevocably (there's no way to revoke things on this list).
I didn't read something to this issue when setting up my keyserver. I think a small hint for keyserver admins somewhere in a manpage/readme/etc would be useful. Another good thing would be checks from the pool operator side to check the server's headers before adding it to the pool. This would sort out most of the "problematic" servers. Did I miss there something or could this really lead to problems? :) Best regards, Valentin [1] https://en.wikipedia.org/wiki/HSTS [2] https://hstspreload.appspot.com _______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
