On 10/05/2012 06:23 PM, Phil Pennock wrote: > Speaking for myself, I only use TLSv1+ and my nginx is built with SNI > support, so if you want to figure out a policy for handing out certs, I > can add a new cert for SNI hostnames in *.pool.sks-keyservers.net.
alternately (or in addition?), we could use monkeysphere and the hkpms gpg keyserver handler, which would let us trivially add extra hostnames to each keyserver's certificate (an OpenPGP certificate, not X.509). Those of us who run servers in the pool or who are interested in keeping track of the players here could cross-verify each others' certificates, and end users who know or are willing to rely on us could verify them that way, while setting keyserver hkpms://hkps.pool.sks-keyservers.net in ~/.gnupg/gpg.conf. I'm happy to help people walk through those steps if they want, and if people think that's a reasonable idea. if people don't think it's a reasonable idea, i'd be interested to hear the reasons for that too. thanks for setting up the pool, kristian! --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel