Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On Sun 2018-01-14 18:23:59 +, Heiko Richter wrote: > hardcoding a root certificate into a program has > *never* been any kind of accepted security system. pinning certificates (either end-entity or further up the chain) is considered a good practice in a design where there is an expected

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On 01/14/2018 08:46 PM, Kristian Fiskerstrand wrote: > From a privacy perspective, then yes, using HKPS transport is better, > but it doesn't improve anything if malicious servers are included in > some way that records information anyways, so having all servers > included reduces privacy, it

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On 01/14/2018 08:36 PM, Alain Wolf wrote: > Unfortunately the problem of 95% of the server pool not supporting > HKPS out of the box remains unresolved. For now. > > My opinion is still the same: Unencrypted HKP should be the exception > and HKPS the rule. The majority of the pool servers need to

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On 14.01.2018 16:55, Kristian Fiskerstrand wrote: > > That said I'm a bit surprised about this discussion, nobody is required > to use a single pool of keyservers. > That is certainly not the direction I wanted it to go with my initial post. I personally, and I assume must of us, welcomed

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

Am 14.01.2018 um 16:55 schrieb Kristian Fiskerstrand: > On 01/14/2018 01:04 PM, Heiko Richter wrote: >> The fact that your GPG client shows a secure connection is >> either due to a faulty/incomplete validation algorithm that doesn't >> check the ca signature of the servers cert or because

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On 01/14/2018 01:04 PM, Heiko Richter wrote: > The fact that your GPG client shows a secure connection is > either due to a faulty/incomplete validation algorithm that doesn't > check the ca signature of the servers cert or because "Kristian-CA" is > hardcoded into GnuPG. I don't know which one it

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

Am 14.01.2018 um 12:40 schrieb Gabor Kiss: >> Let's Encrypt has the DNS-01 challange where the admin produces a >> verification code that Kristian has to publish into his DNS zone through >> a txt record. As soon as this is done the admin can create a certificate >> that includes the pool

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

> Let's Encrypt has the DNS-01 challange where the admin produces a > verification code that Kristian has to publish into his DNS zone through > a txt record. As soon as this is done the admin can create a certificate > that includes the pool hostname *and* his personal individual > hostname(s)

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

Am 14.01.2018 um 10:27 schrieb dirk astrath: > Hello, > >> fist of all CACert is total crap. They have been removed from the linux >> distributions they were (falsely) included in and no browser ever >> trusted them because they can't seem to pass the security audits. I >> realize this comment

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

Hello, fist of all CACert is total crap. They have been removed from the linux distributions they were (falsely) included in and no browser ever trusted them because they can't seem to pass the security audits. I realize this comment will probably cause me a lot of ranting but it has to be said

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

Hi, fist of all CACert is total crap. They have been removed from the linux distributions they were (falsely) included in and no browser ever trusted them because they can't seem to pass the security audits. I realize this comment will probably cause me a lot of ranting but it has to be said that

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

Hi Kristian, A misissued cert could still be used if attacker is persistent enough. Either through dns poision or other attack vectors. And yes, I only issue certs to servers I recognize to have been in the pool for a while and operator should be in the openpgp wot strong-set. Maybe it's

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On January 11, 2018 11:28:08 PM GMT+01:00, Moritz Wirth wrote: >I requested a certificate a few days ago, however only well known >keyservers receive a cert for HKPS (which is reasonable because the >certificates are valid for a year and there is no reliable way for >certificate

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

I requested a certificate a few days ago, however only well known keyservers receive a cert for HKPS (which is reasonable because the certificates are valid for a year and there is no reliable way for certificate revocation). Another idea around the mitm problem - the client retrieves the current

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On Thu 2018-01-11 22:30:54 +0100, Alain Wolf wrote: > Maybe something along the line of ... sounds like you're (roughly) reinventing some sort of acme protocol. if we're going to do that, then we should just encourage kristian to use acme directly. imho, having a dedicated CA for this

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On 11.01.2018 18:16, Alain Wolf wrote: > > Opinions, ideas anyone? > Maybe something along the line of ... 1) Server operator puts his PGP fingerprint in the servers contact information (as we do today but would need to be mandatory HKPS). 2) Server operator creates server private key and

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On 11.01.2018 20:06, Andrew Gallagher wrote: > On 11/01/18 17:16, Alain Wolf wrote: >> I don't know how Kristians SKS CA came to existence. Maybe it was about >> avoiding additional costs for the volunteers, maybe about trust (or lack >> of it) in the commercial CAs. Maybe just the

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

On 11.01.2018 17:28, Timothy A. Holtzen wrote: > > For HKPS Kristian Fiskerstrand is the one maintaining the CA.  I believe > you can generate a CSR and send it in an encrypted message to him and he > will send you back the signed certificate.  > > I would definitely say there is more need of