From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <9front-bounces@9front.inri.net> X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: from 9front.inri.net (9front.inri.net [168.235.81.73]) by inbox.vuxu.org (Postfix) with ESMTP id 52687214DC for ; Thu, 16 May 2024 03:24:43 +0200 (CEST) Received: from sendmail.purelymail.com ([34.202.193.197]) by 9front; Wed May 15 21:23:36 -0400 2024 DKIM-Signature: a=rsa-sha256; b=NIAb46QEUpy4rVy2zCqg0fThwAMNjrUbL46645882vjqnIDhMUZLN0wG94oXdv9JaF5iwqWcg9YmZvmdXBvBghnYkgTrH2KpJ9YL2gu+4FvzSz21jsUSWwLf39UATsboIAISQ6HxJW29gt2vS3AqsRsQ2XQsbalIBPjlumpPi47BxeUDtI4T+DZWxOefpc5eKm/07SWTjB+aTkHMx871bgGfqpMkvWSJzI4bR4bYp5xp7ojuhVjgrsYlzNqCGNH+nycOO21LLJqiW8fbOJaiFUS3r1PCtKVsOmwxv0wZ1GQb8lc4ke3GLcjIYS0ifN1kkP5etipqlKKVM6bPsz74vA==; s=purelymail3; d=pbrane.org; v=1; bh=AvzTeBfn/iQriSjReSDwqUWd8Yg+YGWbqD3SzjzV9P4=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=BqEhUp0O66xmnywTn9gJglDq6Qa+oyeqWYcNeGvXziPezlJT9srSLjklJHgbsB03d2h2SxoGHH1ikdkyZa2sdJbSShXCiYjiePbY+P3eusFaS7/6evzYIRSoxTVsWhofUVbqwjymOmDmuNPeyu98JCXrfLmjd5kMlEDINfS8FFu9KAHkIcrH2gUAQWGafyMVHbyT8bw11KKBzd36T7+3zmaigXpfiB39iqME4DP94l5z+QL5cL6nP1sCyP4su1LD+X6EVkWHDm3ska+HEw7MbzgU7Iy3+NbPb3u/LSBuNh9Ql/EGq2fVDa0j9qZ0eGxvUMkeM/Wgm9tChcfRjaoF8A==; s=purelymail3; d=purelymail.com; v=1; bh=AvzTeBfn/iQriSjReSDwqUWd8Yg+YGWbqD3SzjzV9P4=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 10987:2443:null:purelymail X-Pm-Original-To: 9front@9front.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1292376181 for <9front@9front.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Thu, 16 May 2024 01:23:32 +0000 (UTC) Date: Wed, 15 May 2024 18:23:05 -0700 From: Anthony Martin To: 9front@9front.org Message-ID: References: <4C1B6B746BF77B2F88319BBFCBFEB08C@driusan.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C1B6B746BF77B2F88319BBFCBFEB08C@driusan.net> List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: overflow-preventing virtualized interface descriptor YAML over HTML strategy package DOM event Subject: [9front] Re: "Insecure" icon in gmail Reply-To: 9front@9front.org Precedence: bulk Dave MacFarlane once said: > 1. Am I missing something obvious? Nope. The thumbprint(6) style PKI system is simpler but more tedious compared to the certificate authority system if you're interacting with a lot of foreign servers that you don't personally trust but still want to set up a "secure" channel with them. You have to go with something like the CA system for third party verification or raw dog it with a trust on first use policy. > 2. Is there a better way to do this? Not currently. Note that webfs, ftpfs, aux/wpa, dns over tls, and probably others do not bother checking the validity of a server's certificate. This is not ideal. No one has done the work. Alas. > 3. Would it make sense to add a flag to use startls but not > validate certificates for upas/smtp? Perhaps. But it would still be "insecure" even if the Google borg doesn't show the super serious (see, it's even colored red) flag on your messages. Cheers, Anthony