TIP: Click on subject to list as thread! ANSI
echo: binkd
to: ALEXEY FAYANS
from: ALAN IANSON
date: 2019-12-18 17:20:00
subject: BINKP over TLS
Hello Alexey,

 AF> I believe Michael Dukelsky (2:5020/1042) is the last active binkd
 AF> developer.

He is next on my list, I didn't realize he was the only developer. I don't yet
have enough to reach out and ask him myself. I know I want to be secure but I
don't know the best way to go about that. He may very well have better ideas
than I do anyway and I am happy enough that we are having this discussion.

 AF> I've already expressed my ideas, but here's a summary:

 AF> 1. STARTTLS is the best option because:

I have read and agree with your reasons for wanting to use STARTTLS. I don't
think STARTTLS is what we want today.

In the early going of TLS it was probably the only way forward since there were
many destinations that did not support TLS, that is not the case today. I don't
read of anyone adopting STARTTLS today, only depricating it.

 AF> 1.1. It works on the same port and therefore will be adopted way
 AF> faster. 1.2. Can work out of the box without additional configuration.
 AF> 1.3. Requires significantly less software modified.
 AF> 1.4. Not less secure than TLS on a dedicated port because it is
 AF> possible to announce TLS support via nodelist. 2. For any kind of TLS
 AF> something must be decided on certificate authority. 2.1. We can use
 AF> internet CAs, but this will require additional binding of fidonet
 AF> address to internet domain, probably, via nodelist. Doesn't look
 AF> shiny. 2.2. We can have own CA but this makes fidonet more
 AF> centralized, we will also have to define a secure way of issuing and
 AF> delivering certificates.

I do agree with your reasons for STARTTLS, they are good reasons.

If binkps over TLS was implemented today I think implicit TLS is the way to do
it. We need a binkps listener on port 24553 (or the post you intend to use) and
a way to start a poll to such a listener.

I would be willing to test TLS with you if you like, even using STARTTLS. If we
got some testing under our belt we could discover what works and what doesn't
and be in a better position to give feedback to the binkd developer(s).

 Ttyl :-),
         Al

--- GoldED+/LNX 1.1.5-b20180707
* Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.