Discuss mailing list

["Walter H." <Walter.H AT mathemainzel.info>]

Hello Erich,

On 29.05.2020 12:03, Erich Eckner wrote:
> Hi Walter,
>
> On Fri, 29 May 2020, Walter H. wrote:
>
> > On 29.05.2020 09:20, Erich Eckner wrote:
> > > On Fri, 29 May 2020, Walter H. wrote:
> > > > > > how would you S/MIME sign an email using any OpenNIC domain as 
> > > > > > sender and not assuming that the recipient has installed anything 
> > > > > > 3rd party?
> > > > >
> > > > > Ah, you are talking about getting certificates to be *used* on 
> > > > > opennic domains for email? Then I misunderstood your first email, 
> > > > > sry.
> > > > no problem, but this should be the first step ..., before talking 
> > > > about SSL certificates on domains from a 'parallel universe' ...
> > >
> > > I don't see, why we need encryption/signing on a medium (email on 
> > > opennic tlds) that noone uses,
> > for the explanation and reasons see below
> > > because it cannot interact with the rest of the world,
> >
> > the same with all other things, welcome in the 'parallel universe' ;-)
>
> you missed my point: The parallel universe is no problem, if the user 
> only has to configure stuff, he/she controls (e.g. which dns resolver 
> to use), but not stuff, he/she does not control (his/her mail server's 
> resolver).
>
> > what do you mean by automatic distribution mechnism?
>
> I expect to not show up somewhere in person to get my certificate (I 
> guess, the priceless CA does fulfill this requirement - my university 
> did not).

what you mean is something different; what is done at the validation 
process ..., and this depends on what must be validated, if its the 
identity at all, then you must send e.g. passport copy or show up in 
person but this is uncommon for this, then you will get a certificate 
with your name in the x509 certificate subject; using such a certificate 
you not only show "this is my e-mail address", you also show, who you are;

if its only the e-mail address than this goes nearly instant ..., but 
not as automatic as you know from Let's encrypt for SSL certificates; 
but automatic enough; with this you only show, whats your e-mail address 
and not who you are;

by the way there is a similar difference with the SSL certificates; the 
sort that are given by Let's encrypt, only show the domain name; the 
ones that are used by e.g. banks show more;

> So let me ask you once more: How are S/MIME certificates being 
> distributed (e.g. from this CA which does it for free)? We could add 
> this to our CA, too. I see no problem with that.
the same way as from CAs that are paid ..., there is no difference;
> Also: I don't see, why that would be true. Why should TLS suddenly 
> work if S/MIME works?
because then the 'parallel universe' is integratet and doesn't co exist 
any more and any problem is solved ...
> > > If it would be convenient (and still priceless), I would probably 
> > > get an S/MIME certificate, too.
> > >
> > > The "parallel universe" argument applies better to S/MIME than to TLS:
> >
> > not really, with TLS its the same;
>
> ok, maybe I misphrased that. What I meant, was, that the "parallel 
> universe" argument applies better to *email* than to *browsing* (and 
> other services, to which you connect directly: imap, ssh, ftp, ...).

not really, only to services where the DNS names are nothing than smoke; 
for e.g. ssh this is true;
it is wrong for both HTTP and HTTPS

http://1.2.3.4/  and http://www.example.com/ give you different results, 
even then www.example.com resolves to 1.2.3.4 ...

compare using OpenNIC DNS server with entering hostnames with their ip 
addresses to the local hosts file;

using these resolvers is just a easier way of sharing own hosts file 
with others, nothing more ...

> I see your point, but you missed mine again: How do I tell my gmail 
> account, that it should happily send to help AT acme.libre?

welcome again to the 'parallel universe'; it is just a few bytes in 
/etc/resolve.conf, isn't it?

> This will never work (same "never" as above). However, it is trivial 
> for me to visit http://acme.libre.

yes when modifying your hosts file or using other DNS resolvers; you 
wouldn't setup a website e.g

www.bookshop.libre and expect the whole world using other DNS resolvers 
as they are used to, would you?

I gues now you've the point with what is meant by 'parallel universe' ;-)

> > > > I think it would be good to achieve it first on s/mime signing 
> > > > E-mails by official CA signed certificates;
> > >
> > > I think, this whole discussion about S/MIME certificates for opennic 
> > > tlds is purely academic, because literally noone uses opennic tlds 
> > > for email.
> > not really, the way S/MIME works is just a little bit more individual;
> >
> > ...
>
> I don't really understand, what you want to say with that and what 
> your suggestion is for the roadmap.
in other words, not every real problem is solveable by some digital 
work; and not every digital solutuion is useable at all;
> How would we step from S/MIME certificates of opennic domains to TLS 
> certificates of opennic domains ...
there is no difference; think a little bit of evolution; long before 
http was invented, e-mail was working; so it is here, too;
> To me, it sounds, like you would like to wait for the far-away (my 
> opinion) milestone of being able to send/receive email from/to opennic 
> tlds to/from the rest of the world, then get officially validated 
> S/MIME certificates for these and somehow get officially validated TLS 
> certificates this way.
this is correct;
> Do you honestly expect, that at some point, gmail, letsencrypt and 
> other "big players" will resolve opennic tlds?

No, I'd rather expect that these OpenNIC TLDs would be TLDs of 
IANA/IETF/..., which would then make OpenNIC obsolete; just ask 
yourself: "why isn't there any quite short TLD, that is really for free?"

e.g. the TLD .free

and is operated with rules that nobody can register multiple domains at 
once;

even the TLD .name is paid;

> Do you really want to wait until then with pushing forward TLS 
> certificates on opennic domains?

that's like waiting for Garfield become real ;-)

Walter

p.s. might it be possible that you your mother-tongue is the same as 
mine (German)?

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature