On Fri, Jun 03, 2016 at 04:49:57PM +0200, Christoph Egger wrote: > Well. > > http://pool.sks-keyservers.net(:11371)? --redirect--> > https://keyserver.siccegge.de > > And if keyserver.siccegge.de present a valid certificate + HSTS would be > a problem no? (and potentially undetected if the pool script mainly > checks API pages)
You don't specify what hostname keyserver.siccegge.net presents a valid for which is kind of key. If it does an http redirect to https://keyserver.siccegge.de which presents a certificate for keyserver.siccegge.de then it is keyserver.sicegge.de that will go into the https only list which is fine since keyserver.siccegge.de supports https. If it does an http redirect to https://pool.sks-keyservers.net then unless keyserver.siccege.de has a certificate in that name the browser will start complaining loudly and won't even see the HSTS header. William
signature.asc
Description: Digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel