Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

[Alain Wolf]

On 11.01.2018 17:28, Timothy A. Holtzen wrote:

> 
> For HKPS Kristian Fiskerstrand is the one maintaining the CA.  I believe
> you can generate a CSR and send it in an encrypted message to him and he
> will send you back the signed certificate. 
> 
> I would definitely say there is more need of HKPS hosts.  I think there
> are only 6 and only two of those have IPv6 connectivity.
> 

It pains me a lot to see so little. Five to six percent HKPS, where
server-side HTTPS usage is now 67% according to Mozilla[1]. And we send
more interesting meta-data over HKP then over HTTP. Its a mildly
obfuscated personal contact list. There is no other unencrypted service
in my pool. Neither I use any as client nor do I provide any.

I don't know how Kristians SKS CA came to existence. Maybe it was about
avoiding additional costs for the volunteers, maybe about trust (or lack
of it) in the commercial CAs. Maybe just the DNS-pool-problem. Maybe
something else entirely.

But a lot of things have changed in this area in the last couple of
years. Maybe we could re-think this. Maybe there is a way, for an
ACME-challenge like DNS-01 or TLS-SNI to somehow work if a server is a
legitimate pool member? Maybe even just distribute a private key and
cert[2]? It should be automated. I want to have more green and less red
bricks in that wall[3]

Opinions, ideas anyone?

[1] https://letsencrypt.org/stats/
[2] Don't be shocked, its completely normal for coffee-shops to
distribute their WiFi password, just to avoid having their clients
connect unencrypted.
[3] https://sks-keyservers.net/status/

-- 
pgpkeys.urown.net 11370 # <address@hidden> 0x27A69FC9A1744242

signature.asc
Description: OpenPGP digital signature