[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sks-devel] TLS 1.3 and HKPS pool
|
From: |
Phil Pennock |
|
Subject: |
[Sks-devel] TLS 1.3 and HKPS pool |
|
Date: |
Mon, 19 Mar 2018 17:08:30 -0400 |
Folks,
TLS 1.3 is nearing finalization and has done a bunch of work to try to
get through middleboxes, but will probably still cause issues for some
small percentage of clients behind corporate firewalls.
This will affect servers in pools which offer HKPS on port 443. It
might lead to sporadic server failure for clients, after years of
getting better.
Do we care?
Is there anything sane to be done, for the pools?
I'm tentatively thinking that we can rely upon the
`*.pool.sks-keyservers.net` entry in the certs from Kristian's pool, to
add an experimental `tls13.pool.sks-keyservers.net` pool; we could ask
keyserver operators to hold off on enabling TLS1.3 on the normal vhost
and set `tls13` to be willing to negotiate TLS1.3.
Any PGP client which doesn't match wildcards ... won't be affected
unless and until someone tries to use the new name.
Thoughts? Anything along the lines of "yes, but only for one year, then
we will want it in the main pool"? _Anything_ other than "whatever, we
don't care" will require more checks from the pool maintenance software.
(Various bits of tuning available for experiments but not sure of the
utility of them; eg, `tls13-min`, `tls13-only`, and so forth).
Regards,
-Phil
signature.asc
Description: Digital signature
- [Sks-devel] TLS 1.3 and HKPS pool,
Phil Pennock <=