On 10/05/2012 06:23 PM, Phil Pennock wrote: > Speaking for myself, I only use TLSv1+ and my nginx is built with SNI > support, so if you want to figure out a policy for handing out certs, I > can add a new cert for SNI hostnames in *.pool.sks-keyservers.net.
alternately (or in addition?), we could use monkeysphere and the hkpms
gpg keyserver handler, which would let us trivially add extra hostnames
to each keyserver's certificate (an OpenPGP certificate, not X.509).
Those of us who run servers in the pool or who are interested in keeping
track of the players here could cross-verify each others' certificates,
and end users who know or are willing to rely on us could verify them
that way, while setting
keyserver hkpms://hkps.pool.sks-keyservers.net
in ~/.gnupg/gpg.conf.
I'm happy to help people walk through those steps if they want, and if
people think that's a reasonable idea.
if people don't think it's a reasonable idea, i'd be interested to hear
the reasons for that too.
thanks for setting up the pool, kristian!
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
