Hello Alan!

On Wed, 06 May 2020 at 13:34 -0700, you wrote to me:

 AI>>> I say it is secure because it is! Arguing that it isn't is just
 AI>>> plain silly.
 AF>> No it is not. Thinking that obfuscation equals security is silly.
 AI> What obfuscation and/or lack of security do you speak of?

I think I already explained it. If you cannot verify certificate that was used
for encryption, there is no security in this encryption, only obfuscation (it's
harder to read/modify communication but still possible via MitM attach which
will go unnoticed).

 AI>>> We could use some kind of in house certificates in fidonet. We
 AI>>> would have to build and maintain all that.
 AF>> There are many options. For example, have centralized certificate
 AF>> issuer or have pubkeys in nodelist or DNS. The only problem is
 AF>> that there is no standard to implement.
 AI> If you want that info in the nodelist then the nodelist standard comes
 AI> into play. If the nodelist had that info we could look there but that
 AI> is not the case.

I didn't say I wanted it there. It was just an option, one of many.

 AI> If my current certificate is not good enough then what would be and
 AI> why?

You are using certificate issued by a trusted CA that matches your domain
specified in nodelist, which is fine. If there would be a standard for binkps
requiring INA to be present and contain a valid domain name, then mailers could
verify certificates based on domain names and trusted CA, as web browsers do.
But without a standard there is no security. If there will be an IP address in
the INA field, how can you verify certificate validity?


... Music Station BBS | https://bbs.bsrealm.net | telnet://bbs.bsrealm.net
--- GoldED+/W32-MSVC 1.1.5-b20180707