|
From: | dirk astrath |
Subject: | Re: [Sks-devel] Unde(r)served HKPS [was: Underserved areas?] |
Date: | Sat, 13 Jan 2018 20:10:35 +0000 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
Hi Kristian,
A misissued cert could still be used if attacker is persistent enough. Either through dns poision or other attack vectors. And yes, I only issue certs to servers I recognize to have been in the pool for a while and operator should be in the openpgp wot strong-set.
Maybe it's wise if give some more details to the *.csr-file ... as you will not sign certificate requests containing unneeded/unverifyable/... information.
(Well ... at CAcert site we remove all data we couldn't verify from CSR and create the certificate only with the details we're able to verify ... this could be a possibility for you, too.).
And ... (remembering a discussion we had at Fosdem last year):Maybe you give some dates like (please provide CSR-requests before 2018-xx-01), so there will only some special days per year for your to sign a bunch of requests instead of getting the requests all over the year ...
Kind regards, dirk PS: Which reminds me, that i wanted to send you updated CSRs ... ;-)
[Prev in Thread] | Current Thread | [Next in Thread] |