Am 30.07.2014 um 16:14 schrieb Viktor Dukhovni:
> On Wed, Jul 30, 2014 at 08:41:51AM +0200, BlueStar88 wrote:
>
>> Regardless how difficult it would be to develop a reliable solution for
>> that, I keep thinking here and throw another idea, inspired by Tor and
>> it'
confessed this, I will now
> remove myself from this thread.
>
> Wietse
Well, you've thrown the stone at first.
--
BlueStar88 (bluesta...@xenobite.eu)
signature.asc
Description: OpenPGP digital signature
Am 30.07.2014 um 13:16 schrieb Wietse Venema:
> BlueStar88:
>> Regardless how difficult it would be to develop a reliable solution for
>> that, I keep thinking here and throw another idea, inspired by Tor and
>> it's multilayer crypto: Is there a way, once a connectio
hat
connection? Like this we could add another layer of trust and MitM
sensitivity covering the other direction using the same tools we already
have (maybe using SPF to stick to a set of hosts to verify given client
certificates against). Is there any possible support for that in the TLS
protocol or would it be able to do on the application level (assuming
both sides using postfix)?
--
BlueStar88 (bluesta...@xenobite.eu)
signature.asc
Description: OpenPGP digital signature
Am 29.07.2014 um 19:40 schrieb Viktor Dukhovni:
> On Tue, Jul 29, 2014 at 07:24:41PM +0200, BlueStar88 wrote:
>
>> First we should extend DNS using another MX-like entry, to be able to
>> define authoritative MTA client nodes for a specific domain, so we have
>> something
entry, to be able to
define authoritative MTA client nodes for a specific domain, so we have
something to stick on. Then we can build the same ("backfiring")
security checks, like we have on server connections today.
Wishful thinking...
;-P
BlueStar88
signature.asc
Description: OpenPGP digital signature
On Fri, 25 Jul 2014 22:13:14 +
Viktor Dukhovni wrote:
>On Fri, Jul 25, 2014 at 11:43:41PM +0200, BlueStar88 wrote:
>
>> Well, you made many words, thank you for that patience! Now I think my
>> false assumption (and underlying expectation) was, that this "backfiring
showing a
passport and has in fact nothing to do with the current underlying TLS link,
correct so far?
Regards
BlueStar88
signature.asc
Description: PGP signature
On Fri, 25 Jul 2014 20:14:14 +0200
BlueStar88 wrote:
>>> I think the server checks, if the peer hostname fits the CN.
>>
>>It does not.
>
>It should. Since strictness to a given security level is a) a decision of each
>MX node itself and b) must cover both directi
On Fri, 11 Jul 2014 12:53:36 -0400 (EDT)
wie...@porcupine.org (Wietse Venema) wrote:
>BlueStar88:
>> for quite some while. I can see successful chain walks on inbound
>> connections resulting in "Trusted TLS connection established from".
>
>"Trusted" verif
On Fri, 11 Jul 2014 14:44:42 +
Viktor Dukhovni wrote:
>On Fri, Jul 11, 2014 at 11:10:37AM +0200, BlueStar88 wrote:
>
>> Postfix in fact does already host-certificate checks in both
>> directions/roles, which results in "Trusted TLS connections
>> established fro
n (MUA->MTA) only, not for
CA-trustchain checks on host based certificates (MTA->MTA). Although there are
shared directives, like "smtpd_tls_ask_ccert" for example...
Regards
BlueStar88
signature.asc
Description: PGP signature
On Fri, 11 Jul 2014 11:29:11 +0200
Robert Schetterer wrote:
>Am 11.07.2014 11:10, schrieb BlueStar88:
>> I'd like to setup a Trusted-only MTA for a special domain.
>
>if you have both servers under your control you may always cover con by
>vpn, and use special transport
PGP or the like) as
better/best solution, since my goal is just and simply to defeat broad passive
and low grade active snooping meta data, which is not covered by P2P-crypto.
Thanks for this great piece of software!
Kind regards,
BlueStar88
signature.asc
Description: PGP signature
14 matches
Mail list logo
