Discuss mailing list

[Erich Eckner <opennic AT eckner.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 29 May 2020, Walter H. wrote:

> On 28.05.2020 23:09, Erich Eckner wrote:
>
> I meant it a little bit different:
>
> have you got an OpenNIC mail address?

no, because - as we both know - it's pretty much useless ;-)

> if so, try sending a Testmail from there to echo AT ipv6help.de
>
> and tell me, what you got back;
>
>
> > > OpenNIC is a parallel universe to the global DNS operated by 
> > > IETF/IANA/...;
> >
> > Yes, I'm aware of this. That's why I asked, how you intend to distribute 
> > certificates via email. As stated above, if properly configured, mail 
> > servers can trivially send to opennic domains.
>
> as long as there is a difference in what someone configures in
>
> e.g. /etc/resolv.conf
>
> this won't work;
>
> in view of a server the fastest resolvers are always the ones operated by the 
> hoster itself;
>
> > > how would you S/MIME sign an email using any OpenNIC domain as sender and 
> > > not assuming that the recipient has installed anything 3rd party?
> >
> > Ah, you are talking about getting certificates to be *used* on opennic 
> > domains for email? Then I misunderstood your first email, sry.
> no problem, but this should be the first step ..., before talking about SSL 
> certificates on domains from a 'parallel universe' ...

I don't see, why we need encryption/signing on a medium (email on opennic 
tlds) that noone uses, because it cannot interact with the rest of the 
world, at all and even before encryptions/signing on a medium (https on 
opennic tlds) that can be used currently and is in fact used by many 
hosts, but without centrally verified certificates, currently (because 
they do not yet exist).

> > > you e.g. use PGP, which is just like self-signed;
> > >
> > > when you achieve to get an S/MIME x509 certificate signed by a CA already 
> > > in the certstores for an OpenNIC email address, you are done;
> >
> > yes, for S/MIME certificates, this might work - if the official CA resolves 
> > opennic, too.
> exact your 'if' is the point: even you yourself don't use an official CA 
> signed certificate for you E-mail
>
> opennic AT eckner.net
>
> although it would be possible without any problem;

only partially true: The maintenance burden for a S/MIME certificate is 
much higher than for pgp keys - I had a S/MIME certificate once (for free, 
from my university), but once that expired, I didn't go through the hassle 
of extending/renewing it.

> everyone is an individual, so I think you have a reason not using an official 
> CA signed s/mime certificate; why sould then such indivdual like you want use 
> an official CA signed SSL certificate for a parallel universe domain?

I (and I suspect many others, too) have three reasons upon which they 
select the certificate:

1. price
2. convenience
3. usability/security model

regarding 3, pgp and s/mime work out similarily good (coverage of 
compatible correspondents might differ)

regarding 1, I prefer to choose "priceless" - which is provided by 
letsencrypt for TLS and makes no difference on the pgp/smime front 
(because, luckily, my university offers free certificates)

regarding 2, I prefer "less effort" - and that's the reason, why I choose 
pgp. Also, that's the reason, why I asked you, whether there is an 
automatic S/MIME certificate distribution mechanism. If it would be 
convenient (and still priceless), I would probably get an S/MIME 
certificate, too.

The "parallel universe" argument applies better to S/MIME than to TLS:

For TLS (e.g. https://acme.libre), you merely need to configure your local 
host to resolve via opennic and you're good to go.

For email (e.g. to be able to send to info AT acme.libre), you would need to 
configure your mail server to resolve opennic - and many mail servers are 
not operated by their users.

> I think it would be good to achieve it first on s/mime signing E-mails by 
> official CA signed certificates;

I think, this whole discussion about S/MIME certificates for opennic tlds 
is purely academic, because literally noone uses opennic tlds for email.

If anyone using an opennic tld for email is around, please step up and 
correct me.

regards,
Erich

P.S.: Just for the fun of it, I'll try to set up an email server for 
opennic domains - let's see, to whom I can deliver :-)

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7Qt6oACgkQCu7JB1Xa
e1qKWBAAlBqwQvJB3zykJVB4VVUibiUXWyF3LX4JmTkZJiew9v9brw9fgr0YYd5E
qqCgDZsopwc+6Sv3Pg1sSvLOWmubzgrJaZy2LSeLg4o0f+rMjwNQCqhrol4z/FXU
/6FSLIbF7Y+QcxptyJcybVFKd+mdGakfIjquG6S/ovRIi4ewb7cYmxF+yK53PtqL
c+VNVZEiKpMO/93J3+wqAaeoI+TuTe3EM2FtfR6l5BmmZnDhhRFJUrtH+R8Se17C
PxG7QAJ0K7SxtsBiMf8RbMCyZoVI+tfKwkSd14/GWPXaiBfN5ifXl7YyhCpmBbsb
j0/lq3zKUcUsOvb4snb7ComxLi9k8vaeNZZzq2+35tZcSNVAhl0OwUSkAoq0PSC+
pBCeRmzaaoRJeOKUJiXQnaGlxmpDBHoeSneeVACKOiYr4MvMeoUywtYA3E/+zIIm
AI9fqp9HZ2RWvgNN+vhQ9XENj1ugJ94AwqliDsE98hz171Nwc4U6N/rE9liEfHKl
R/48xBaK5ohmZ94LHlzQdMQ2gXDx/rZ0eOWzW/qtVLtmiEkzPJjTSkWKG129Y0Jw
iji2r/JGKcDSASSrVwq6WsKVxHDLquTOHhFvZOttM9goq1xOc2KrO045/NLuX/Iz
TQYL8expyG9eRjVsavQrvvJuY4Xeev7OanDQIvCtrOLJMhzaJYE=
=W7iZ
-----END PGP SIGNATURE-----