On Thu, Mar 12, 2009 at 01:17:08PM -0400, Daniel Kahn Gillmor wrote: > On 03/12/2009 12:33 AM, David Shaw wrote: > > > As the author of that patch, let me request that you - please - don't > > adopt it just yet. To be sure, the feature is coming, but the exact > > semantics are not yet set in stone. Adopting the feature before it is > > finished and released ties the hands of those working on it, as it would > > be much harder to make changes to the design. > > David, thanks for the quick feedback here (and for authoring the patch > in the first place!) I understand why you wouldn't want your hands tied > for something that may change, and respect that. Can i contribute to > sorting out the target semantics somehow?
Please do! > What part of the semantics > are you concerned may change? As far as i can tell, the user-facing > bits of the change are: > > * keyservers providing secured HKP are expected to run TLS-wrapped HKP > by default on port 11372 (the hkp port + 1). of course, running on > alternate ports is not forbidden. Yes. I'm not 100% ready to discard TLS over 11371 quite yet, though. TLS upgrade gives a lot of nice semantics that SSL over 11372 doesn't have. I need to test what is possible here. > * if a user prefixes their keyserver location with hkps:// , and gpg is > built with with libcurl, gpg will wrap its connections to the keyserver > in TLS (using 11372 by default instead of 11371), and will verify the > remote machine's identity before performing keyserver access. Currently that is what the patch does. It might be nice to also support client-side certificates. Remember that gpg2 does X.509 natively, so we certainly have access to the certs to identify ourselves with. Are you on gnupg-devel? I've started a thread there so the GPG community can talk about this. David -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
