On 10/08/2012 10:49 PM, Phil Pennock wrote: > On 2012-10-08 at 22:12 +0200, Kristian Fiskerstrand wrote: >> Lovely! Must admit my setup is a tad more plain than that (just using >> nginx in front of SKS) :) Will be interesting to see how that goes. > > Mine too.
... > > So, assuming that GnuPG is also doing the right thing with SRV-based > lookups, I think that the certificate side of things is working. > At least that is a good thing in all this :) > Unfortunately, with an https: keyserver, GnuPG is sending a request for > "/" instead of "/pks/lookup?..." :( > > If I do: > % unbound-control local_data > % _pgpkey-https._tcp.hkps.pool.sks-keyservers.net SRV 10 10 443 > sks.spodhuis.org > ok > > and specify "keyserver hkps://hkps.pool.sks-keyservers.net" in > ~/.gnupg/gpg.conf, then I find that GnuPG has a security bug! > That seems like another bug to add to the SRV port not being used for SRV handling. Are you sending it over to gnupg-{users,devel}? I'll have to remove the SRV record for keys.kfwebs.net for the pool to function correctly at the moment, as this is not handled. But that bug has already been reported upstream. Any thoughts on how I should proceed? Should I disable the cert check in my crawler so that all hkps servers show up for now until some more of the server operators (presuming they want to) generate CSRs, or, given the young nature of this pool, would it be OK to just grow organically? -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Veni vidi visa I came, I saw, I bought ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel