sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Joining hkps.pool.sks-keyservers.net

From: Kristian Fiskerstrand
Subject: Re: [Sks-devel] Joining hkps.pool.sks-keyservers.net
Date: Mon, 21 Sep 2015 19:51:05 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/21/2015 06:02 PM, William Hay wrote:
> So having acquired a whole bunch of peers for my keyserver I'm now 
> thinking about adding hkps support and becoming part of 
> hkps.pool.sks-servers.net.  I've got a couple of queries though. 
> 1.I'll probably want to share the port 443 with other sites.  Can
> one assume that SNI is supported by hkps clients or is there
> another mechanism recommended for hkps sharing a port?

Yes, you can assume SNI

> 
> 2.Presumably I need to create a CSR for hkps.pool.sks-servers.net 
> rather than my own server name since that is what people will be

CN should be server name, the pool addresses are added as SANs

> trying to connect to.  Is there any preference with regard to 
> SubjectAltName vs CommonName or both?  The modern practice seems
> to

You add CN, I add the SANs when certifying

> be to use SubjectAltName but backward compatibility seems to be an 
> important part of the keyserver world.

Not for HKPS part, people should use up to date TLS libraries or
security is broken, but more practically it is the only way to support
using port 443 for most administrators that have shared services.
> 
> 3.Are there any conventions regarding what should go into other 
> fields of the DN when creating one's CSR?

I should probably know this by heart, but don't have the config file
around atm; to be safe include CN, O, ST, C

> 
> 4.Assuming I want to turn on HSTS I presumably need to install and 
> configure sslh to front port 443.  Anything else that might catch
> me out?
> 
> William
> 
> 
> 
> _______________________________________________ Sks-devel mailing 
> list address@hidden 
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 


- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"A ship is safe in harbour, but that's not what ships are for"
(Will Shedd)
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJWAEN7AAoJECULev7WN52FE4QIAIqXg7H6LM3IiXTodiARuIaO
O/16lV2I8j0nRmOXI229gJ1OJ0hlqhHxj/nwcbG3pCsP6fEeABHPi5FV8TxSsfBg
Ps3/AHEKamn2rzdwEeCqUFKpH8akYXU4S2/z2p5UWPIJmV1D90LjEBuEt25XNlMq
1Tda+I4YQ0kAidmStvNaaQoTVEdB4NcbZVmidLEvkSWqomRg4kJuXY6RyzMueDhH
W7wz0ji+5oLzl2Rx6KsEcLGpeg1EHqIV3+/rPOJIipfJDrpti1+aSum4KIaA7sRh
lhF3nr9bgLqKvrrYHiaCyajjy8BwA+TjU8yAAkUOTQ6WAFmrkrPIZvQk5MwQbnY=
=G9w9
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]