Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] broken https on reg.libre

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] broken https on reg.libre


Chronological Thread  
  • From: Erich Eckner <opennic AT eckner.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] broken https on reg.libre
  • Date: Fri, 29 May 2020 09:20:09 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 29 May 2020, Walter H. wrote:

On 28.05.2020 23:09, Erich Eckner wrote:

I meant it a little bit different:

have you got an OpenNIC mail address?

no, because - as we both know - it's pretty much useless ;-)


if so, try sending a Testmail from there to echo AT ipv6help.de

and tell me, what you got back;




OpenNIC is a parallel universe to the global DNS operated by IETF/IANA/...;

Yes, I'm aware of this. That's why I asked, how you intend to distribute certificates via email. As stated above, if properly configured, mail servers can trivially send to opennic domains.

as long as there is a difference in what someone configures in

e.g. /etc/resolv.conf

this won't work;

in view of a server the fastest resolvers are always the ones operated by the hoster itself;


how would you S/MIME sign an email using any OpenNIC domain as sender and not assuming that the recipient has installed anything 3rd party?

Ah, you are talking about getting certificates to be *used* on opennic domains for email? Then I misunderstood your first email, sry.
no problem, but this should be the first step ..., before talking about SSL certificates on domains from a 'parallel universe' ...

I don't see, why we need encryption/signing on a medium (email on opennic tlds) that noone uses, because it cannot interact with the rest of the world, at all and even before encryptions/signing on a medium (https on opennic tlds) that can be used currently and is in fact used by many hosts, but without centrally verified certificates, currently (because they do not yet exist).



you e.g. use PGP, which is just like self-signed;

when you achieve to get an S/MIME x509 certificate signed by a CA already in the certstores for an OpenNIC email address, you are done;

yes, for S/MIME certificates, this might work - if the official CA resolves opennic, too.

exact your 'if' is the point: even you yourself don't use an official CA signed certificate for you E-mail

opennic AT eckner.net

although it would be possible without any problem;

only partially true: The maintenance burden for a S/MIME certificate is much higher than for pgp keys - I had a S/MIME certificate once (for free, from my university), but once that expired, I didn't go through the hassle of extending/renewing it.


everyone is an individual, so I think you have a reason not using an official CA signed s/mime certificate; why sould then such indivdual like you want use an official CA signed SSL certificate for a parallel universe domain?

I (and I suspect many others, too) have three reasons upon which they select the certificate:

1. price
2. convenience
3. usability/security model

regarding 3, pgp and s/mime work out similarily good (coverage of compatible correspondents might differ)

regarding 1, I prefer to choose "priceless" - which is provided by letsencrypt for TLS and makes no difference on the pgp/smime front (because, luckily, my university offers free certificates)

regarding 2, I prefer "less effort" - and that's the reason, why I choose pgp. Also, that's the reason, why I asked you, whether there is an automatic S/MIME certificate distribution mechanism. If it would be convenient (and still priceless), I would probably get an S/MIME certificate, too.

The "parallel universe" argument applies better to S/MIME than to TLS:

For TLS (e.g. https://acme.libre), you merely need to configure your local host to resolve via opennic and you're good to go.

For email (e.g. to be able to send to info AT acme.libre), you would need to configure your mail server to resolve opennic - and many mail servers are not operated by their users.


I think it would be good to achieve it first on s/mime signing E-mails by official CA signed certificates;

I think, this whole discussion about S/MIME certificates for opennic tlds is purely academic, because literally noone uses opennic tlds for email.

If anyone using an opennic tld for email is around, please step up and correct me.

regards,
Erich

P.S.: Just for the fun of it, I'll try to set up an email server for opennic domains - let's see, to whom I can deliver :-)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7Qt6oACgkQCu7JB1Xa
e1qKWBAAlBqwQvJB3zykJVB4VVUibiUXWyF3LX4JmTkZJiew9v9brw9fgr0YYd5E
qqCgDZsopwc+6Sv3Pg1sSvLOWmubzgrJaZy2LSeLg4o0f+rMjwNQCqhrol4z/FXU
/6FSLIbF7Y+QcxptyJcybVFKd+mdGakfIjquG6S/ovRIi4ewb7cYmxF+yK53PtqL
c+VNVZEiKpMO/93J3+wqAaeoI+TuTe3EM2FtfR6l5BmmZnDhhRFJUrtH+R8Se17C
PxG7QAJ0K7SxtsBiMf8RbMCyZoVI+tfKwkSd14/GWPXaiBfN5ifXl7YyhCpmBbsb
j0/lq3zKUcUsOvb4snb7ComxLi9k8vaeNZZzq2+35tZcSNVAhl0OwUSkAoq0PSC+
pBCeRmzaaoRJeOKUJiXQnaGlxmpDBHoeSneeVACKOiYr4MvMeoUywtYA3E/+zIIm
AI9fqp9HZ2RWvgNN+vhQ9XENj1ugJ94AwqliDsE98hz171Nwc4U6N/rE9liEfHKl
R/48xBaK5ohmZ94LHlzQdMQ2gXDx/rZ0eOWzW/qtVLtmiEkzPJjTSkWKG129Y0Jw
iji2r/JGKcDSASSrVwq6WsKVxHDLquTOHhFvZOttM9goq1xOc2KrO045/NLuX/Iz
TQYL8expyG9eRjVsavQrvvJuY4Xeev7OanDQIvCtrOLJMhzaJYE=
=W7iZ
-----END PGP SIGNATURE-----



Archive powered by MHonArc 2.6.19.

Top of Page