On 01/14/2018 07:43 PM, Heiko Richter wrote:
> I bet the private key of "Kristian-CA" is on a system that is
> permanently connected to the internet and as soon as that key gets lost
> *all* GnuPG installations can't be trusted to do secure HKPS because
> some brainbug who didn't know the first thi
On 01/14/2018 08:46 PM, Kristian Fiskerstrand wrote:
> From a privacy perspective, then yes, using HKPS transport is better,
> but it doesn't improve anything if malicious servers are included in
> some way that records information anyways, so having all servers
> included reduces privacy, it doesn
On 01/14/2018 08:36 PM, Alain Wolf wrote:
> Unfortunately the problem of 95% of the server pool not supporting
> HKPS out of the box remains unresolved. For now.
>
> My opinion is still the same: Unencrypted HKP should be the exception
> and HKPS the rule. The majority of the pool servers need to
On 14.01.2018 16:55, Kristian Fiskerstrand wrote:
>
> That said I'm a bit surprised about this discussion, nobody is required
> to use a single pool of keyservers.
>
That is certainly not the direction I wanted it to go with my initial post.
I personally, and I assume must of us, welcomed the
Please dont get me wrong on this, but I think you missed something here.
https://community.letsencrypt.org/t/do-dns-challenge-records-have-an-expiration/33658
I did not read through this very long, but it seems that the challenge
record expires after 30 days, so you would need to update it at le
Am 14.01.2018 um 19:24 schrieb Heiko Richter:
> didn't send that one to the list, sorry.
>
> Weitergeleitete Nachricht
> Betreff: Re: [Sks-devel] Fwd: Re: Unde(r)served HKPS [was:
> Underserved areas?]
> Datum:Sun, 14 Jan 2018 19:15:59 +0100
> Von: Heiko Richter
> A
BTW: That certificate you wanted to sign at December 22nd will not be
needed anymore. My server will adhere to security standards that have
been around for decades. It will not use certificates signed by
homegrown ca certificates that are hardcoded into software as it is a
serious system not coming
didn't send that one to the list, sorry.
Weitergeleitete Nachricht
Betreff:Re: [Sks-devel] Fwd: Re: Unde(r)served HKPS [was: Underserved
areas?]
Datum: Sun, 14 Jan 2018 19:15:59 +0100
Von:Heiko Richter
An: Moritz Wirth
Am 14.01.2018 um 14:18 schrieb Moritz
Am 14.01.2018 um 16:55 schrieb Kristian Fiskerstrand:
> On 01/14/2018 01:04 PM, Heiko Richter wrote:
>> The fact that your GPG client shows a secure connection is
>> either due to a faulty/incomplete validation algorithm that doesn't
>> check the ca signature of the servers cert or because "Kristia
On 01/14/2018 01:04 PM, Heiko Richter wrote:
> The fact that your GPG client shows a secure connection is
> either due to a faulty/incomplete validation algorithm that doesn't
> check the ca signature of the servers cert or because "Kristian-CA" is
> hardcoded into GnuPG. I don't know which one it
All in all, what do you want to do? Just keep trusted certificates or
improve the numbers of HKPS Servers in the pool?
So how many certificates are issued with OCSP Stapling? 0.001%? And of
course you need OCSP for that (which is not the case right now, but yes
you do not have the problem with a t
Am 14.01.2018 um 13:04 schrieb Moritz Wirth:
>
> Certificate Revocation is broken in most browsers today so there is no
> reliable way to revoke a certificate (especially if you do not use OCSP).
>
They are ways to deal with that and any given trusted ca does so (OCSP
stampling and the must-stapl
Am 14.01.2018 um 12:40 schrieb Gabor Kiss:
>> Let's Encrypt has the DNS-01 challange where the admin produces a
>> verification code that Kristian has to publish into his DNS zone through
>> a txt record. As soon as this is done the admin can create a certificate
>> that includes the pool hostnam
Certificate Revocation is broken in most browsers today so there is no
reliable way to revoke a certificate (especially if you do not use OCSP).
I don't think that it would be a big problem to get trusted certificates
for HKPS, however the trust problem stays the same and it comes with
other prob
> Let's Encrypt has the DNS-01 challange where the admin produces a
> verification code that Kristian has to publish into his DNS zone through
> a txt record. As soon as this is done the admin can create a certificate
> that includes the pool hostname *and* his personal individual
> hostname(s) and
Hello,
For your Keyserver you can use a Certificate issues by any CA as long
as it should not contain one of the pool names. On my server I decided
to use Let's Encrypt.
You can of course but certificate validation will fail if the user comes
to you through the pool hostname. It's ugly, impolit
PS: Everything you wrote would have been true in 1998. The world of SSL
has evolved since then..
Weitergeleitete Nachricht
Betreff:Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]
Datum: Sun, 14 Jan 2018 11:39:34 +0100
Von:Heiko Richter
An: sks
Am 14.01.2018 um 10:27 schrieb dirk astrath:
> Hello,
>
>> fist of all CACert is total crap. They have been removed from the linux
>> distributions they were (falsely) included in and no browser ever
>> trusted them because they can't seem to pass the security audits. I
>> realize this comment wi
Hello,
fist of all CACert is total crap. They have been removed from the linux
distributions they were (falsely) included in and no browser ever
trusted them because they can't seem to pass the security audits. I
realize this comment will probably cause me a lot of ranting but it has
to be said
19 matches
Mail list logo