Dirmngr now supports hkps

Werner Koch wk at gnupg.org
Wed May 7 20:51:07 CEST 2014


On Wed,  7 May 2014 18:17, kristian.fiskerstrand at sumptuouscapital.com
said:

> (i) as tmphost is derived from getnameinfo, the PTR record will be
> used. A concrete example would be sks.karotte.org that resolve to
> 176.9.51.79 which has a PTR of alita.karotte.org. However no keyserver
> is configured on [2] as the expected host is [3]. So trying to grab a
> key will fail.

I considered that but first wanted to implement what I think is the
Right Thing; i.e. I assumed properly configured servers and admins with
full access to the DNS zones.

> have an issue in the situation where using the CN directly the server
> might be presenting a self-signed / corporate signed certificate for
> SNI == CN. In this case we will have a server authentication error

Hmmm.

> I strongly suggest using the original hostname provided as SNI when
> performing keyserver lookups, this is also consistent with current

Okay.  What about a dirmngr options to enable or disable the use of the
pool name?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-devel mailing list