discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: "Walter H." <Walter.H AT mathemainzel.info>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] broken https on reg.libre
- Date: Fri, 29 May 2020 10:18:03 +0200
- Dkim-filter: OpenDKIM Filter v2.11.0 vhost01.ipv6help.de 8F244678B5
- Organization: Home
On 29.05.2020 09:20, Erich Eckner wrote:
On Fri, 29 May 2020, Walter H. wrote:for the explanation and reasons see below
no problem, but this should be the first step ..., before talking about SSL certificates on domains from a 'parallel universe' ...how would you S/MIME sign an email using any OpenNIC domain as sender and not assuming that the recipient has installed anything 3rd party?
Ah, you are talking about getting certificates to be *used* on opennic domains for email? Then I misunderstood your first email, sry.
I don't see, why we need encryption/signing on a medium (email on opennic tlds) that noone uses,
because it cannot interact with the rest of the world,
the same with all other things, welcome in the 'parallel universe' ;-)
exact your 'if' is the point: even you yourself don't use an official CA signed certificate for you E-mail
you e.g. use PGP, which is just like self-signed;
when you achieve to get an S/MIME x509 certificate signed by a CA already in the certstores for an OpenNIC email address, you are done;
yes, for S/MIME certificates, this might work - if the official CA resolves opennic, too.
opennic AT eckner.net
although it would be possible without any problem;
only partially true: The maintenance burden for a S/MIME certificate is much higher than for pgp keys - I had a S/MIME certificate once (for free, from my university), but once that expired, I didn't go through the hassle of extending/renewing it.
the neccessary steps are quite different, the results, too;
I (and I suspect many others, too) have three reasons upon which they select the certificate:not really, s/mime has broad support mostly out-of-the-box, with pgo it is different;
1. price
2. convenience
3. usability/security model
regarding 3, pgp and s/mime work out similarily good (coverage of compatible correspondents might differ)
regarding 1, I prefer to choose "priceless" - which is provided by letsencrypt for TLS and makes no difference on the pgp/smime front (because, luckily, my university offers free certificates)not only your university also there is a CA which offers S/MIME for free, valid for 1 year; another CA offers them only valid for 3 months - the same with Let's encrypt TLS certs;
regarding 2, I prefer "less effort" - and that's the reason, why I choose pgp. Also, that's the reason, why I asked you, whether there is an automatic S/MIME certificate distribution mechanism.
what do you mean by automatic distribution mechnism?
as I see your mails come with hexadecimal cheese-cake as a result of nearly no PGP support out-of-the-box;
and I don't think this it is intended like that ...
here is a difference in comparison to TLS; PGP is a parallel universe, which is no more than self signed and due to the rare out-of-the-box support in mail agents more waste than sense;
(my mail agent also has no PGP support out of the box)
TLS is part of nearly every browser now; I don't think we are talking about oldies like IE 1.0 or so;
therefore my hint; get S/MIME working with OpenNIC domains, then TLS works, too;
If it would be convenient (and still priceless), I would probably get an S/MIME certificate, too.
The "parallel universe" argument applies better to S/MIME than to TLS:
not really, with TLS its the same;
with both you have to manually add the root certificate into the cert store to prevent certchain broken errors or similar ...
but the impact of doing this is more critical with TLS than with S/MIME
For TLS (e.g. https://acme.libre), you merely need to configure your local host to resolve via opennic and you're good to go.
No. this is only true for HTTP, not for HTTPS
exact that is the joke with this 'parallel universe';
For email (e.g. to be able to send to info AT acme.libre), you would need to configure your mail server to resolve opennic
and that's it; the same with HTTP
with HTTP over SSL/TLS and S/MIME you have exact the same problems; with the big difference, that manually trusting a HTTPS server using a certificate your browser can't validate because of missing root, ... is an absolute NoGo;
- and many mail servers are not operated by their users.welcome in the parallel universe ;-)
not really, the way S/MIME works is just a little bit more individual;I think it would be good to achieve it first on s/mime signing E-mails by official CA signed certificates;
I think, this whole discussion about S/MIME certificates for opennic tlds is purely academic, because literally noone uses opennic tlds for email.
just thinking of this:
you send me an S/MIME signed mail using a self-signed certificate; as I don't expect that this mail is sent to several mail adresses (recipients, people) at the same time, you can give me a call, or what ever on a different channel informing me about this, and the trust is given; but does anyone connecting to a HTTPS server with self signed certificate get this information on a different channel, too?
that's why I said, that about the NoGo above ..., and by the way, receiving an E-mail from you, is really only from you, but
browsing to https://www.example.com/ is not just www.example.com also any other host, involved building the page on my browser ...
just think of things like <script src="https://..."> inside HTML ...
if you would really only allow requests to the one and only host presented in the URL line of the user agent, then there would be rearly no page be useful nor functional/operable ...
Greetings,
Walter
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-
Re: [opennic-discuss] broken https on reg.libre
, (continued)
- Re: [opennic-discuss] broken https on reg.libre, Amunak, 05/24/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/26/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/27/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/27/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/28/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/28/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/28/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/29/2020
- [opennic-discuss] missing RRtypes on reg.libre, Erich Eckner, 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Rouben, 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/29/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/30/2020
- Re: [opennic-discuss] broken https on reg.libre, Erich Eckner, 05/30/2020
- Re: [opennic-discuss] broken https on reg.libre, Walter H., 05/31/2020
Archive powered by MHonArc 2.6.19.