Discuss mailing list

["Walter H." <Walter.H AT mathemainzel.info>]

On 29.05.2020 09:20, Erich Eckner wrote:
> On Fri, 29 May 2020, Walter H. wrote:
> > > > how would you S/MIME sign an email using any OpenNIC domain as 
> > > > sender and not assuming that the recipient has installed anything 
> > > > 3rd party?
> > >
> > > Ah, you are talking about getting certificates to be *used* on 
> > > opennic domains for email? Then I misunderstood your first email, sry.
> > no problem, but this should be the first step ..., before talking 
> > about SSL certificates on domains from a 'parallel universe' ...
>
> I don't see, why we need encryption/signing on a medium (email on 
> opennic tlds) that noone uses,
for the explanation and reasons see below
> because it cannot interact with the rest of the world,

the same with all other things, welcome in the 'parallel universe' ;-)

> > > > you e.g. use PGP, which is just like self-signed;
> > > >
> > > > when you achieve to get an S/MIME x509 certificate signed by a CA 
> > > > already in the certstores for an OpenNIC email address, you are done;
> > >
> > > yes, for S/MIME certificates, this might work - if the official CA 
> > > resolves opennic, too.
> > exact your 'if' is the point: even you yourself don't use an official 
> > CA signed certificate for you E-mail
> >
> > opennic AT eckner.net
> >
> > although it would be possible without any problem;
>
> only partially true: The maintenance burden for a S/MIME certificate 
> is much higher than for pgp keys - I had a S/MIME certificate once 
> (for free, from my university), but once that expired, I didn't go 
> through the hassle of extending/renewing it.

the neccessary steps are quite different, the results, too;

> I (and I suspect many others, too) have three reasons upon which they 
> select the certificate:
>
> 1. price
> 2. convenience
> 3. usability/security model
>
> regarding 3, pgp and s/mime work out similarily good (coverage of 
> compatible correspondents might differ)
not really, s/mime has broad support mostly out-of-the-box, with pgo it 
is different;
> regarding 1, I prefer to choose "priceless" - which is provided by 
> letsencrypt for TLS and makes no difference on the pgp/smime front 
> (because, luckily, my university offers free certificates)
not only your university also there is a CA which offers S/MIME for 
free, valid for 1 year; another CA offers them only valid for 3 months - 
the same with Let's encrypt TLS certs;
> regarding 2, I prefer "less effort" - and that's the reason, why I 
> choose pgp. Also, that's the reason, why I asked you, whether there is 
> an automatic S/MIME certificate distribution mechanism.

what do you mean by automatic distribution mechnism?
as I see your mails come with hexadecimal cheese-cake as a result of 
nearly no PGP support out-of-the-box;
and I don't think this it is intended like that ...

here is a difference in comparison to TLS; PGP is a parallel universe, 
which is no more than self signed and due to the rare out-of-the-box 
support in mail agents more waste than sense;

(my mail agent also has no PGP support out of the box)

TLS is part of nearly every browser now; I don't think we are talking 
about oldies like IE 1.0 or so;

therefore my hint; get S/MIME working with OpenNIC domains, then TLS 
works, too;

> If it would be convenient (and still priceless), I would probably get 
> an S/MIME certificate, too.
>
> The "parallel universe" argument applies better to S/MIME than to TLS:

not really, with TLS its the same;

with both you have to manually add the root certificate into the cert 
store to prevent certchain broken errors or similar ...

but the impact of doing this is more critical with TLS than with S/MIME

> For TLS (e.g. https://acme.libre), you merely need to configure your 
> local host to resolve via opennic and you're good to go.

No. this is only true for HTTP, not for HTTPS

exact that is the joke with this 'parallel universe';

> For email (e.g. to be able to send to info AT acme.libre), you would need 
> to configure your mail server to resolve opennic

and that's it; the same with HTTP

with HTTP over SSL/TLS and S/MIME you have exact the same problems; with 
the big difference, that manually trusting a HTTPS server using a 
certificate your browser can't validate because of missing root, ... is 
an absolute NoGo;

> - and many mail servers are not operated by their users.
welcome in the parallel universe ;-)
> > I think it would be good to achieve it first on s/mime signing 
> > E-mails by official CA signed certificates;
>
> I think, this whole discussion about S/MIME certificates for opennic 
> tlds is purely academic, because literally noone uses opennic tlds for 
> email.
not really, the way S/MIME works is just a little bit more individual;

just thinking of this:

you send me an S/MIME signed mail using a self-signed certificate; as I 
don't expect that this mail is sent to several mail adresses 
(recipients, people) at the same time, you can give me a call, or what 
ever on a different channel informing me about this, and the trust is 
given; but does anyone connecting to a HTTPS server with self signed 
certificate get this information on a different channel, too?

that's why I said, that about the NoGo above ..., and by the way, 
receiving an E-mail from you, is really only from you, but

browsing to  https://www.example.com/ is not just www.example.com also 
any other host, involved building the page on my browser ...
just think of things like <script src="https://...";> inside HTML ...

if you would really only allow requests to the one and only host 
presented in the URL line of the user agent, then there would be rearly 
no page be useful nor functional/operable ...

Greetings,

Walter

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature