Gary R. Schmidt via Postfix-users wrote in
<e55c40b0-7886-4247-96f5-12840cf34...@mcleod-schmidt.id.au>:
|On 15/10/2024 14:36, Nico Schottelius via Postfix-users wrote:
|>
|> Good morning,
|>
|> Jaroslaw Rafa via Postfix-users <postfix-users@postfix.org> writes:
|>
|>> Dnia 14.10.2024 o godz. 13:03:48 Nico Schottelius via Postfix-users \
|>> pisze:
|>>>
|>>> In a nutshell the idea is to reuse the very
|>>> old, existing "trust of web" idea and mix it together with IPv6 only
|>>> mail services as follows resulting into the following setup:
|>>
|>> So, basically you want to build a "walled garden" of operators who only
|>> exchange mail between themselves.
|>
|> True to some degree. In my imagination this "walled garden" would be
|> less of a garden, but more of a "trusted world", i.e. much bigger and
|> having systems in place to regulate when somebody misbehaves.
|>
|That's what TELEX was...
|
|> In a way you could compare it to law/law enforcement, however steered
|> decentralised without a central authority who decides what is good.
|>
|...Except it wasn't decentralised.
|
|Maybe lobby the ITU to have a standard (or whatever) created?
One could hope DNSSEC gets its chance in global style, then with
raw certificates in the DNS and such, maybe better presented than
SMIMEA, OPENPGPKEY as well as TLSA, which i for example cannot use
at all in the web interface of my provider -- i mean yes,
everybody can run its own bind / unbound instance, can they?? --,
then this could get a go. (I do not get all the grief anyway, and
the myriads of standards, everybody goes TLS and isn't that so
expensive.)
Btw i fwiw said in February this year on openpgp@
WKD is a good thing imho, but the setup is bitter.
It is behind HTTPS, which, in the future, possibly, would no
longer need a CA pool.
Let me say it like that.
If there would be a TXT record as for DKIM, one (everybody, that
is) could immediately start with something different. Say.
inline; KEY-AS-PEM
wkd; URL (or nothing meaning use the "normal WKD approach")
https; URL
And these would be the values of
BLAKE2-OF-LOCAL-PART._smime.DOMAIN TXT ..
BLAKE2-OR-YOU-NAME-IT-OF-LOCAL-PART._pgp.DOMAIN TXT ..
Ok, it does reveal local-part, in that all (the cryptographically
secure hashes of the) local parts are there in the DNS, a zone
transfer etc gets them all.
Whereas WKD hides it in a web server directory in which you,
i would think, have to know what you want to lookup to get an
idea, and a listing showing them all you will not be able to get
at all.
Then again i personally feel that exaggerates security a bit,
a super hidden team could base solely on WKD, for example. Or,
for S/MIME, and could say there would be an optional additional
[_.]_smime_ca.DOMAIN TXT
that one should look up if the above lookup fails, giving the same
to a generic CA certificate that was used to sign S/MIME
certificates of users of DOMAIN. Then this reveals nothing
either, for S/MIME, at least.
...
P.S.: that BLAKE2S256-OF-LOCAL-PART could be anything. LOCAL-PART
needs to be normalized (siiigh). The normal TTL also "means
something".
Btw i also said, later, in April, on mutt-dev@
The problem is solely that this automated fetching is shit (sorry)
as of today, except for WKD maybe, and those hkps which still
function, or not at all for S/MIME, that easily. (And not by
default on German passports, not the one, not the other, and not
fetchable via German DNSSECured DNS records either.)
And all those DNS records which have been invented are the very
same brainfuckers (sorry), because no normal and mentally sane
person can use them, as they require specific DNS record
formatting that those web interfaces that the mentioned persona
has to use do not offer this, and, i guess, will never support.
Compare this with the intellectual penetration of reality that the
old good ones have proven to have, again, by looking at the DKIM
standard. All you need is a TXT record, and almost everyone will
be able to place this. DKIM is a good standard. I have my heavy
doubts on most others. But that is just me, of course.
I mean, what a pity. Give me DNSSEC, give me RFC 7250 raw TLS
keys and DKIM certs and some better sort of SMIMEA and OPENPGP
through it, instead of also this .well-known trashbin and CA
certificate pools (get rid of the root server keys altogether
maybe, how about [1] instead, even if US does not like it?),
and more through it.
[1] https://wander.science/paper/2017_Wander_Rootless_DNS.pdf
And even more btw, also there,
I *wholeheartly* agree! S/MIME is so much better by concept!
This is why i like the new approach most PGP people now use, in
that they use a signed MIME multipart which includes the public
key as an attachment.
And, btw, i am in full support of the OpenPGP: header that can be
DKIM protected (plus by the "protected headers"). Unfortunately
that never made it to a standard.
...
For PGP there really should be better (ie: TXT-based; or like so)
SMIMEA/OPENPGKEY DNS entries, because what else one can have?
WKD, and HKPS. I (and many others) use OpenPGP: and point via
https:// --- which is totally absurd given that the entire HTTPS
aka TLS community as it is of today uses CA pools that is based
upon commercial supermans. No.
Off-topic for postfix a bit, but i can stand to that.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
