-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/27/2014 11:41 PM, Andrew Alderwick wrote: > Dear Rolf, > > On Tue, May 27, 2014 at 10:18:31PM +0200, Rolf Wuerdemann wrote: >> Am 27.05.2014 17:41, schrieb Kristian Fiskerstrand: >>> On 05/27/2014 05:00 PM, Daniel Kahn Gillmor wrote: >>>> To check the inclusion of your server in the hkps pool, look >>>> at the HKPS column of: >>>> >>>> https://sks-keyservers.net/status/ >> >> Could you please explain the color-codes (on the page?). >> Red/green is obvious, but I don't know where this "orange" color >> for hkps sites comes from (SNI?) > > Orange under the hkps column means that the server is vulnerable > to CVE-2014-3207, which has been patched in SKS 1.1.5 [1,2]. > > The vulnerability isn't limited to hkps, but Kristian will at some > point make 1.1.5 a requirement for being part of the hkps pool [3]. > So the orange is left undocumented as it's intended as a temporary > warning to admins (such as me!) who are yet to update their > servers. >
To clarify, I updated the statement a bit on [0,1] so that servers on older versions with backported security patch or behind a mitigating reverse proxy configuration will still be included, this is handled by the pool software and why some HKPS are flagged green despite being <1.1.5 References: [0] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00056.html [1] http://lists.nongnu.org/archive/html/sks-devel/2014-05/msg00057.html - -- - ---------------------------- Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- "Great things are not accomplished by those who yield to trends and fads and popular opinion." (Jack Kerouac) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJThblJAAoJEPw7F94F4TagQqMQAJPH4vqP8feK6G+KRgXgO2hX 74Y1cgGokt9tSHmnqBHPzCPE2fjCvEotCVGm3UxZWfUPc6S2Z+kFAjmBrrFLYRqE bdG5vREw1i9Rhk20qxFbK2+NZQZHmmt1vEovH6F/t4DDvdQaC8y9H7vr6Ig/r79b D8zYd++12++s6Fva8eamJbSM6XrPt2kpzb3HiMQ4SLahTzaIclV46ia7QVl5RBlY ZpgYjZZtQsAlIf1pC03+TVDAJtM8UWm/SxwT5fQ6cX9HFOUdpJqysm02Z0NL3TGS 6GqwrRJnRnfrwSXagkSGuJCAnr1RJFtd5ijudP5g/Mmavtiq21hpaFRQKpaJXE3A PMqe0jO3gKYOoXnNagYlsaU2Y+m0UqrUdgF4hiB6DwbXewvO0epnv99TMrxSw3Bw upwFiCkcGR11YtJvbkQ9bWaSpKucMo9g8Fo8zKLt9pqbJ7MeqX2Sm8wGISx/x+Ot dCDxI4xEPhrcBGO1PXozJS3CCtmaOUaxBZLiuwk0BTQoGDnLg8WDUPow9KQ66XNf u4XbosTDfRjE+0jAAm0HG2g8yrRaF9jYb7qk8rQIr2SHj/xrmgzC6mbqe1TCgnl4 51JeOPAHgIEnRA7YDINhfIGs0C+9xSNGm4dJuuNOwF6Iar16WsrtIIBAk7gZOcOi cgCyqJhTfZBjx0JmVHec =IoSI -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel