Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] broken https on reg.libre

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] broken https on reg.libre


Chronological Thread  
  • From: "Walter H." <Walter.H AT mathemainzel.info>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] broken https on reg.libre
  • Date: Fri, 29 May 2020 13:15:04 +0200
  • Dkim-filter: OpenDKIM Filter v2.11.0 vhost01.ipv6help.de 12A9F678B5
  • Organization: Home

Hello Erich,

On 29.05.2020 12:03, Erich Eckner wrote:
Hi Walter,

On Fri, 29 May 2020, Walter H. wrote:

On 29.05.2020 09:20, Erich Eckner wrote:
On Fri, 29 May 2020, Walter H. wrote:
how would you S/MIME sign an email using any OpenNIC domain as sender and not assuming that the recipient has installed anything 3rd party?

Ah, you are talking about getting certificates to be *used* on opennic domains for email? Then I misunderstood your first email, sry.
no problem, but this should be the first step ..., before talking about SSL certificates on domains from a 'parallel universe' ...

I don't see, why we need encryption/signing on a medium (email on opennic tlds) that noone uses,
for the explanation and reasons see below
because it cannot interact with the rest of the world,

the same with all other things, welcome in the 'parallel universe' ;-)

you missed my point: The parallel universe is no problem, if the user only has to configure stuff, he/she controls (e.g. which dns resolver to use), but not stuff, he/she does not control (his/her mail server's resolver).


what do you mean by automatic distribution mechnism?

I expect to not show up somewhere in person to get my certificate (I guess, the priceless CA does fulfill this requirement - my university did not).

what you mean is something different; what is done at the validation process ..., and this depends on what must be validated, if its the identity at all, then you must send e.g. passport copy or show up in person but this is uncommon for this, then you will get a certificate with your name in the x509 certificate subject; using such a certificate you not only show "this is my e-mail address", you also show, who you are;

if its only the e-mail address than this goes nearly instant ..., but not as automatic as you know from Let's encrypt for SSL certificates; but automatic enough; with this you only show, whats your e-mail address and not who you are;

by the way there is a similar difference with the SSL certificates; the sort that are given by Let's encrypt, only show the domain name; the ones that are used by e.g. banks show more;

So let me ask you once more: How are S/MIME certificates being distributed (e.g. from this CA which does it for free)? We could add this to our CA, too. I see no problem with that.
the same way as from CAs that are paid ..., there is no difference;
Also: I don't see, why that would be true. Why should TLS suddenly work if S/MIME works?
because then the 'parallel universe' is integratet and doesn't co exist any more and any problem is solved ...
If it would be convenient (and still priceless), I would probably get an S/MIME certificate, too.

The "parallel universe" argument applies better to S/MIME than to TLS:

not really, with TLS its the same;

ok, maybe I misphrased that. What I meant, was, that the "parallel universe" argument applies better to *email* than to *browsing* (and other services, to which you connect directly: imap, ssh, ftp, ...).

not really, only to services where the DNS names are nothing than smoke; for e.g. ssh this is true;
it is wrong for both HTTP and HTTPS

http://1.2.3.4/  and http://www.example.com/ give you different results, even then www.example.com resolves to 1.2.3.4 ...

compare using OpenNIC DNS server with entering hostnames with their ip addresses to the local hosts file;

using these resolvers is just a easier way of sharing own hosts file with others, nothing more ...

I see your point, but you missed mine again: How do I tell my gmail account, that it should happily send to help AT acme.libre?

welcome again to the 'parallel universe'; it is just a few bytes in /etc/resolve.conf, isn't it?

This will never work (same "never" as above). However, it is trivial for me to visit http://acme.libre.

yes when modifying your hosts file or using other DNS resolvers; you wouldn't setup a website e.g

www.bookshop.libre and expect the whole world using other DNS resolvers as they are used to, would you?

I gues now you've the point with what is meant by 'parallel universe' ;-)

I think it would be good to achieve it first on s/mime signing E-mails by official CA signed certificates;

I think, this whole discussion about S/MIME certificates for opennic tlds is purely academic, because literally noone uses opennic tlds for email.

not really, the way S/MIME works is just a little bit more individual;

...

I don't really understand, what you want to say with that and what your suggestion is for the roadmap.
in other words, not every real problem is solveable by some digital work; and not every digital solutuion is useable at all;

How would we step from S/MIME certificates of opennic domains to TLS certificates of opennic domains ...
there is no difference; think a little bit of evolution; long before http was invented, e-mail was working; so it is here, too;
To me, it sounds, like you would like to wait for the far-away (my opinion) milestone of being able to send/receive email from/to opennic tlds to/from the rest of the world, then get officially validated S/MIME certificates for these and somehow get officially validated TLS certificates this way.
this is correct;
Do you honestly expect, that at some point, gmail, letsencrypt and other "big players" will resolve opennic tlds?

No, I'd rather expect that these OpenNIC TLDs would be TLDs of IANA/IETF/..., which would then make OpenNIC obsolete; just ask yourself: "why isn't there any quite short TLD, that is really for free?"

e.g. the TLD .free

and is operated with rules that nobody can register multiple domains at once;

even the TLD .name is paid;

Do you really want to wait until then with pushing forward TLS certificates on opennic domains?

that's like waiting for Garfield become real ;-)

Walter

p.s. might it be possible that you your mother-tongue is the same as mine (German)?


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page