From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,T_DKIM_INVALID autolearn=ham autolearn_force=no version=3.4.1 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 29eb2d77 for ; Mon, 25 Jun 2018 18:48:52 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id E663FA182E; Tue, 26 Jun 2018 04:48:50 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id E9D039E5BE; Tue, 26 Jun 2018 04:48:36 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=tnetconsulting.net header.i=@tnetconsulting.net header.b=xk9f8oT/; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id 211709E5BE; Tue, 26 Jun 2018 04:48:35 +1000 (AEST) Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [45.33.28.24]) by minnie.tuhs.org (Postfix) with ESMTPS id B41969E5BD for ; Tue, 26 Jun 2018 04:48:34 +1000 (AEST) Received: from REDACTED (hal9000.thn.corp.google.com [IPv6:2620:0:102a:11:fe50:e322:5780:92c6]) (authenticated bits=0) by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id w5PImXw7023096 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 25 Jun 2018 13:48:34 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2015; t=1529952514; bh=kn66JmCpo4cNDCaS5r0v/kYfwhqt8/byCicqrrVoO+k=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=xk9f8oT/Oz8Oyj8h3wgw8lvaqF9vcEifLOLQKy51nPIwkoUq3B9YtIrSkrwVQa+oP m9BdrGqm4WrvXqO6VxYyTnEckAsNiR/9qXf+mVLVPg+xH9zAPrQ3+xBcv1gPwRoebc E6YdM4q4KXjLa94h1r6YLsfFNcpbD5Ek135MFrWM= To: tuhs@minnie.tuhs.org References: <20180622145402.GT21272@mcvoy.com> <20180622151751.BEK9i%steffen@sdaoden.eu> <20180622192505.mfig_%steffen@sdaoden.eu> <89e5ae21-ccc0-5c84-837b-120a1a7d9e26@spamtrap.tnetconsulting.net> <20180623144959.M9byU%steffen@sdaoden.eu> <20180623223851.LcBjy%steffen@sdaoden.eu> <09ee8833-c8c0-8911-751c-906b737209b7@spamtrap.tnetconsulting.net> <20180624100438.GY10129@h-174-65.A328.priv.bahnhof.se> <20180625161052.6PXXL%steffen@sdaoden.eu> Organization: TNet Consulting Message-ID: <5da463dd-fb08-f601-68e3-197e720d5716@spamtrap.tnetconsulting.net> Date: Mon, 25 Jun 2018 12:48:33 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180625161052.6PXXL%steffen@sdaoden.eu> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms050000070301050408010205" Subject: Re: [TUHS] off-topic list X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Grant Taylor via TUHS Reply-To: Grant Taylor Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" This is a cryptographically signed message in MIME format. --------------ms050000070301050408010205 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 06/25/2018 10:10 AM, Steffen Nurpmeso wrote: > DKIM reuses the *SSL key infrastructure, which is good. Are you saying that DKIM relies on the traditional PKI via CA=20 infrastructure? Or are you saying that it uses similar technology that=20 is completely independent of the PKI / CA infrastructure? > (Many eyes see the code in question.) It places records in DNS, which = > is also good, now that we have DNS over TCP/TLS and (likely) DTLS.=20 > In practice however things may differ and to me DNS security is all in = > all not given as long as we get to the transport layer security. I believe that a secure DNS /transport/ is not sufficient. Simply=20 security the communications channel does not mean that the entity on the = other end is not lying. Particularly when not talking to the=20 authoritative server, likely by relying on caching recursive resolvers. > I personally do not like DKIM still, i have opendkim around and=20 > thought about it, but i do not use it, i would rather wish that public = > TLS certificates could also be used in the same way as public S/MIME=20 > certificates or OpenPGP public keys work, then only by going to a TLS=20 > endpoint securely once, there could be end-to-end security. All S/MIME interactions that I've seen do use certificates from a well=20 know CA via the PKI. (My understanding of) what you're describing is encryption of data in=20 flight. That does nothing to encrypt / protect data at rest. S/MIME /does/ provide encryption / authentication of data in flight=20 /and/ data at rest. S/MIME and PGP can also be used for things that never cross the wire. > I am not a cryptographer, however. (I also have not read the TLS v1.3 = > standard which is about to become reality.) The thing however is that = > for DKIM a lonesome user cannot do anything -- you either need to have = > your own SMTP server, or you need to trust your provider. I don't think that's completely accurate. DKIM is a method of signing=20 (via cryptographic hash) headers as you see (send) them. I see no=20 reason why a client can't add DKIM headers / signature to messages it=20 sends to the MSA. Granted, I've never seen this done. But I don't see anything preventing = it from being the case. > But our own user interface is completely detached. (I mean, at least=20 > if no MTA is used one could do the DKIM stuff, too.) I know that it is possible to do things on the receiving side. I've got = the DKIM Verifier add-on installed in Thunderbird, which gives me client = side UI indication if the message that's being displayed still passes=20 DKIM validation or not. The plugin actually calculates the DKIM hash=20 and compares it locally. It's not just relying on a header added by=20 receiving servers. --=20 Grant. . . . unix || die --------------ms050000070301050408010205 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CxcwggUpMIIEEaADAgECAhAIzwdZriPvq7FXSbc0jGReMA0GCSqGSIb3DQEBCwUAMIGXMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBD bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzExMTcwMDAw MDBaFw0xODExMTcyMzU5NTlaMCsxKTAnBgkqhkiG9w0BCQEWGmd0YXlsb3JAdG5ldGNvbnN1 bHRpbmcubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhfMhFM6CDAWL4Mg xrKLLbzTCILpI7uBzgG/HFXxV92MX4fba+pAotqOV8of7uF4YykVw94lCsOmFeVkb8VNSn6Q KSFbfnjXmYgU7XRtFHioTZihIynEXXI1LPMhnDXV9jCEzVvrlBx/6mSPdQcWhG1oMAlGd62w uu/CRE5U70LngVVat0wDJhdzrHxZabQlHhAPAvwMex8ObGDAkuieUCn5pQj2xqVKMB65vdcE ZydA8d8X8mvqHHOrEOg5xIwpca7E4JeUMxzYrdp3kVS7V+wXUui1nPwMb6o8WUe72FnL27BY mGqmtUGUc/ajGDUMS4xvabJ0M4Qc/NVGf56qDwIDAQABo4IB2jCCAdYwHwYDVR0jBBgwFoAU gq9sjPjF/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFD8vJWpDFBkhAbiZGgx0EIUgH1EoMA4G A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEF BQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczov L3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNv bW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls Q0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2Rv Y2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5j cnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREEHjAcgRpn dGF5bG9yQHRuZXRjb25zdWx0aW5nLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEArDRhn6+otAvz JNgWiGsEeKawiBwqIlR8NSoiOpNYfpmZWS7A+X2mn/47nUT1KypbS3Mf8j8N1rf/FU53p0So WBsnqPAYajAaLjXnGoOEs8pOW0nK/vFYGJHdh8RXvxpPBOd7HUQCqsc4MGJUgasfrWdwqfAZ C1C0G7rNxY5Uvj8RFBPb7d+RfOaegUBMc5FDiXB3Xs43lUEWoWiMi6R3Y5PlQyrvLJB39cLw iLWlOom79addldgAaWZsxnwUDgQgth5ARr1Jw+nfNIimmauAtxDJMgaV17B4ODeuHI1jlPoG HS4+u/qVAwSYq4vtaCN1PSPHwqrrnERAj40c6yPyvzCCBeYwggPOoAMCAQICEGqb4Tg7/ytr nwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVh dGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBM aW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X DTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQI ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E TyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlv biBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA vrOeV6wodnVAFsc4A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQPTRI5Or1u6zf +bGBSyD9aH95dDSmeny1nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivlJTRENf+RKwrB 6vcfWlP8dSsE3Rfywq09N0ZfxcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG9qrxpZxyb4o4 yNNwTqzaaPpGRqXB7IMjtf7tTmU2jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoSWY66nJN/VCJv 5ym6Q0mdCbDKCMPybTjoNCQuelc0IAaO4nLUXk0BOSxSxt8kCvsUtQIDAQABo4IBPDCCATgw HwYDVR0jBBgwFoAUu69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFIKvbIz4xf6WYXzo Hz0rcUhexIvAMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMBEGA1UdIAQK MAgwBgYEVR0gADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9D T01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOwYI KwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUFkZFRydXN0Q0Eu Y3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM BQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2SQgG1NgvNc3fQP7TcePo7EIMERoh42aw GGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs0j8CGpfb+SJA3GaBQ+394k+z3ZBy WPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDMKVmU/PUWNMKSTvtlenlxBhh7 ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+E2pvOUtY+hPebuPtTbq7 vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfHM5tdhYF/8v5UY5g2 xANPECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4jkhJiA7EuTec P/CFtR72uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJM/1tyZR2niOY ihZ+FCbtf3D9mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJUmpvVdZ4ognzg Xtgtdk3ShrtOS1iAN2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTKTlL8YXLI8nAb R9HWdFqzcOoB/hxfEyIQpx9/s81rgzdEZOofSlZHynoSMYIENTCCBDECAQEwgawwgZcxCzAJ BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENs aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAIzwdZriPvq7FXSbc0 jGReMA0GCWCGSAFlAwQCAQUAoIICWTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xODA2MjUxODQ4MzNaMC8GCSqGSIb3DQEJBDEiBCAkaTuFxM5mkGXyJz+4 0A9chlo5IcB1/OekIwaBIq5U5TBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglg hkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG BSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG9BgkrBgEEAYI3EAQxga8wgawwgZcxCzAJBgNVBAYT AkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBB dXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAIzwdZriPvq7FXSbc0jGReMIG/ BgsqhkiG9w0BCRACCzGBr6CBrDCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIg TWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0 ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1 cmUgRW1haWwgQ0ECEAjPB1muI++rsVdJtzSMZF4wDQYJKoZIhvcNAQEBBQAEggEAhQ9QYOVn a/oNVfOZWU37OCqSqNpNGDtGZG3i6xrcvaJAi37gQzwj8BaM+CSDnJmST5s3nZcPN6Yx5ivi 5Cxvse25hVfAfe5mv8PdO02jzwQRaLzOOcGx+KtCBqYvsD0vh7ONwAepF3bbanM7f8jqjf1X sLI5BK9yMppg6uq2aX/ZSVj7pTXoVmWYxt6XO3T7+cBzRjY1hDwvVeV7JCpApOObfMXphsHj rP0Mz14JEWOAWu/KvX9AQl5xHpW1pcmmZzK1/J/p65ejkspzxDcMTL7qdBZ0yhbxnVVDLuJl kzxhDw0UbbhscPF2yiXLQy4q2i0jh5UY1GXyXKdeDTfWRgAAAAAAAA== --------------ms050000070301050408010205--