Folks, TLS 1.3 is nearing finalization and has done a bunch of work to try to get through middleboxes, but will probably still cause issues for some small percentage of clients behind corporate firewalls.
This will affect servers in pools which offer HKPS on port 443. It might lead to sporadic server failure for clients, after years of getting better. Do we care? Is there anything sane to be done, for the pools? I'm tentatively thinking that we can rely upon the `*.pool.sks-keyservers.net` entry in the certs from Kristian's pool, to add an experimental `tls13.pool.sks-keyservers.net` pool; we could ask keyserver operators to hold off on enabling TLS1.3 on the normal vhost and set `tls13` to be willing to negotiate TLS1.3. Any PGP client which doesn't match wildcards ... won't be affected unless and until someone tries to use the new name. Thoughts? Anything along the lines of "yes, but only for one year, then we will want it in the main pool"? _Anything_ other than "whatever, we don't care" will require more checks from the pool maintenance software. (Various bits of tuning available for experiments but not sure of the utility of them; eg, `tls13-min`, `tls13-only`, and so forth). Regards, -Phil
signature.asc
Description: Digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel