sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]

From: dirk astrath
Subject: Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?]
Date: Sat, 13 Jan 2018 20:10:35 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 
Hi Kristian,


A misissued cert could still be used if attacker is persistent enough. Either 
through dns poision or other attack vectors.
And yes, I only issue certs to servers I recognize to have been in the pool for 
a while and operator should be in the openpgp wot strong-set.
Maybe it's wise if give some more details to the *.csr-file ... as you will not sign certificate requests containing unneeded/unverifyable/... information.
(Well ... at CAcert site we remove all data we couldn't verify from CSR and create the certificate only with the details we're able to verify ... this could be a possibility for you, too.). 

And ... (remembering a discussion we had at Fosdem last year):
Maybe you give some dates like (please provide CSR-requests before 2018-xx-01), so there will only some special days per year for your to sign a bunch of requests instead of getting the requests all over the year ... 

Kind regards,

dirk

PS: Which reminds me, that i wanted to send you updated CSRs ... ;-)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]