Discuss mailing list

[Erich Eckner <opennic AT eckner.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I put the current status (as perceived by me) of the setup and discussion 
on https://wiki.opennic.org/opennic/tls

Feel free to contribute by editing that page.

On Fri, 29 May 2020, Walter H. wrote:

> Hello Erich,
>
> On 29.05.2020 12:03, Erich Eckner wrote:
> > Hi Walter,
> >
> > On Fri, 29 May 2020, Walter H. wrote:
> >
> > > On 29.05.2020 09:20, Erich Eckner wrote:
> > > > On Fri, 29 May 2020, Walter H. wrote:
> > > > > > > how would you S/MIME sign an email using any OpenNIC domain as sender 
> > > > > > > and not assuming that the recipient has installed anything 3rd party?
> > > > > >
> > > > > > Ah, you are talking about getting certificates to be *used* on opennic 
> > > > > > domains for email? Then I misunderstood your first email, sry.
> > > > > no problem, but this should be the first step ..., before talking about 
> > > > > SSL certificates on domains from a 'parallel universe' ...
> > > >
> > > > I don't see, why we need encryption/signing on a medium (email on opennic 
> > > > tlds) that noone uses,
> > > for the explanation and reasons see below
> > > > because it cannot interact with the rest of the world,
> > >
> > > the same with all other things, welcome in the 'parallel universe' ;-)
> >
> > you missed my point: The parallel universe is no problem, if the user only 
> > has to configure stuff, he/she controls (e.g. which dns resolver to use), 
> > but not stuff, he/she does not control (his/her mail server's resolver).
> >
> > > what do you mean by automatic distribution mechnism?
> >
> > I expect to not show up somewhere in person to get my certificate (I guess, 
> > the priceless CA does fulfill this requirement - my university did not).
>
> what you mean is something different; what is done at the validation process 
> ..., and this depends on what must be validated, if its the identity at all, 
> then you must send e.g. passport copy or show up in person but this is 
> uncommon for this, then you will get a certificate with your name in the x509 
> certificate subject; using such a certificate you not only show "this is my 
> e-mail address", you also show, who you are;
>
> if its only the e-mail address than this goes nearly instant ..., but not as 
> automatic as you know from Let's encrypt for SSL certificates; but automatic 
> enough; with this you only show, whats your e-mail address and not who you 
> are;
>
> by the way there is a similar difference with the SSL certificates; the sort 
> that are given by Let's encrypt, only show the domain name; the ones that are 
> used by e.g. banks show more;

ok, I see. I would not expect more than verifying email addresses and host 
names from an opennic-CA - I do not expect any bank to seriously run on 
opennic domains :-D

> > So let me ask you once more: How are S/MIME certificates being distributed 
> > (e.g. from this CA which does it for free)? We could add this to our CA, 
> > too. I see no problem with that.
> the same way as from CAs that are paid ..., there is no difference;
> > Also: I don't see, why that would be true. Why should TLS suddenly work if 
> > S/MIME works?
> because then the 'parallel universe' is integratet and doesn't co exist any 
> more and any problem is solved ...

ok, got it.

> > > > If it would be convenient (and still priceless), I would probably get an 
> > > > S/MIME certificate, too.
> > > >
> > > > The "parallel universe" argument applies better to S/MIME than to TLS:
> > >
> > > not really, with TLS its the same;
> >
> > ok, maybe I misphrased that. What I meant, was, that the "parallel 
> > universe" argument applies better to *email* than to *browsing* (and other 
> > services, to which you connect directly: imap, ssh, ftp, ...).
>
> not really, only to services where the DNS names are nothing than smoke; for 
> e.g. ssh this is true;
> it is wrong for both HTTP and HTTPS
>
> http://1.2.3.4/  and http://www.example.com/ give you different results, even 
> then www.example.com resolves to 1.2.3.4 ...
>
> compare using OpenNIC DNS server with entering hostnames with their ip 
> addresses to the local hosts file;
>
> using these resolvers is just a easier way of sharing own hosts file with 
> others, nothing more ...

But "others" might include the provider of the service itself. Which is 
IMHO pretty different from rsync'ing /etc/hosts files - it makes the name 
kind of official.

> > I see your point, but you missed mine again: How do I tell my gmail 
> > account, that it should happily send to help AT acme.libre?
>
> welcome again to the 'parallel universe'; it is just a few bytes in 
> /etc/resolve.conf, isn't it?

Yes, but those are a few bytes which I cannot control :-)

> > This will never work (same "never" as above). However, it is trivial for me 
> > to visit http://acme.libre.
>
> yes when modifying your hosts file or using other DNS resolvers; you wouldn't 
> setup a website e.g
>
> www.bookshop.libre and expect the whole world using other DNS resolvers as 
> they are used to, would you?
>
> I gues now you've the point with what is meant by 'parallel universe' ;-)
>
> > > > > I think it would be good to achieve it first on s/mime signing E-mails 
> > > > > by official CA signed certificates;
> > > >
> > > > I think, this whole discussion about S/MIME certificates for opennic tlds 
> > > > is purely academic, because literally noone uses opennic tlds for email.
> > > not really, the way S/MIME works is just a little bit more individual;
> > >
> > > ...
> >
> > I don't really understand, what you want to say with that and what your 
> > suggestion is for the roadmap.
> in other words, not every real problem is solveable by some digital work; and 
> not every digital solutuion is useable at all;
> > How would we step from S/MIME certificates of opennic domains to TLS 
> > certificates of opennic domains ...
> there is no difference; think a little bit of evolution; long before http was 
> invented, e-mail was working; so it is here, too;
> > To me, it sounds, like you would like to wait for the far-away (my opinion) 
> > milestone of being able to send/receive email from/to opennic tlds to/from 
> > the rest of the world, then get officially validated S/MIME certificates 
> > for these and somehow get officially validated TLS certificates this way.
> this is correct;
> > Do you honestly expect, that at some point, gmail, letsencrypt and other 
> > "big players" will resolve opennic tlds?
>
> No, I'd rather expect that these OpenNIC TLDs would be TLDs of IANA/IETF/..., 
> which would then make OpenNIC obsolete; just ask yourself: "why isn't there 
> any quite short TLD, that is really for free?"
>
> e.g. the TLD .free
>
> and is operated with rules that nobody can register multiple domains at once;
>
> even the TLD .name is paid;

ok, if this (e.g. wait for opennic tlds to be included in icann) is the 
proposed roadmap, then I prefer running our own acme server. :-D

> > Do you really want to wait until then with pushing forward TLS certificates 
> > on opennic domains?
>
> that's like waiting for Garfield become real ;-)

exactly.

> Walter
>
> p.s. might it be possible that you your mother-tongue is the same as mine 
> (German)?

Indeed, it is.

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl7Q8zgACgkQCu7JB1Xa
e1pmqBAAupKQviBAjLJOG63yupZv9NAbXN0e37+VQkWFw770dUgMt34hSzC+tC6R
UF9C0JjsaMXD355fbFSPix7Fy0kwyEhaBo+gySpQI3kePPbVH+ER59NCWvi74DT3
2YwrC3MFTvg1Mb7GVvr2JpnChf2GwEGvayWu4q+3FuNvMmkYcO+NCpSYbATeWd1X
06Ra6D633PxqidpbNG8PYVskH8ijil6FJ5dwgsbJCwxvOv/05rFwlbMV2raAbd4Y
zyztemwDzC60T7oezRrcmQMN+wYKLVJuUsyM3YnXJXRVbkfg46v/P9EKr25mU+EH
XCNKeLoIAf3zxVr3ipUHZhhEVgrjlGQt54IFQdyvYhOyzX9VSmRxgg7EJwtHgtnu
+6+tA6tE2HwR0m4LizEPrXjnx7wgXvtDsRGr7qOVoAfxI6mJbB3BWagct/F3p4E5
ZVgBDO6KbSFfp5eUl/YyvgTtTHRzKwA1JT4g1EdvetjvMCS1Imy2/oWHkosAX8NB
CKf+ZfSy0VTqfABbt7y6h6pMiHUf+rSz6R7AZ+bH3k6LJA4p5Vdc09QW6b43TcUl
P76vYd3B7p72wbohgmyrEL0pjDhX4WAkX9qaTjTBGXPFJ9TGx6SLTMMWTS67+U81
dBD259cqpUSpI8YqpgWXWf0HutnwDC8Tdzu7jf5Ru75wOWq/ySU=
=KYQ6
-----END PGP SIGNATURE-----