hkps port

Phil Pennock gnupg-devel at spodhuis.org
Thu Apr 2 06:24:04 CEST 2009


On 2009-04-01 at 22:51 -0400, David Shaw wrote:
> After some pondering about the proper port for hkps, I think that 443  
> makes the most sense (in other words, use the same port number as  
> https).  The reality is that there was never a particular reason why  
> regular hkp needed to be on port 11371.  The protocol is really http,  
> and may as well have lived on the proper http port.  I don't see a  
> reason to repeat this for hkps, so in the interest of simplicity, 443  
> seems to be the best choice.

I have a web-server running providing http/https.  I have a keyserver
running on 11371 and would like to have TLS keyserver support.

The nearest I could do in this case is to disable SSL support in
whichever keyserver I run, configure Apache to proxy for that vhost and
find some way to turn off the normal logging, since I don't query-log
HKP retrievals.  This means that the set-up which respects user-privacy
is more work to support (given default configurations).

Since HKP isn't directly for human consumption, does the need to tunnel
everything over the same two ports really stand?

If you're set on 443, how about using SRV records for hkps, always, and
only have 443 be the fallback port in the absence of SRV records?

_hkps._tcp.spodhuis.org.  IN SRV 10 10 11372 sks.spodhuis.org.

That would let me specify hkps://spodhuis.org/ and split the ports as I
need?

Thanks,
-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: </pipermail/attachments/20090401/d0dd0d5e/attachment-0001.pgp>


More information about the Gnupg-devel mailing list