Jesse Thompson wrote in <ef3306d7-70cc-4fee-9130-8b0da78f9...@app.fastmail.com>: |On Thu, Aug 17, 2023, at 12:02 PM, Steffen Nurpmeso wrote: |> More, usually (it happened in the past) they then point to their |> web site, where you then *do*, and isn't the certificate of that |> website, which itself is likely verified by some CA in some CA |> pool that you do not have control over, or do not exert control |> over, also because the interface is user unfriendly, a much bigger |> problem, also security-wise, than the DKIM signature? Especially |> with DNSSEC etc etc? | |If I understand correctly, there are some "no auth, no entry" requirements \ |being suggested by some ISPs, in which they might start requiring DKIM \ |signatures aligned to any/all domains in headers and body.
I have problems parsing this. The sending domain signs messages it sends .. end of the story? |I guess it's not enough that the web site has a CA cert, since those \ |are trivial to obtain. So, now the CA problem shifts to DKIM. Today's internet is like that. I want to point out one more helpless IETF hand-waving, cast in stone in RFC 6698, 1.1: The public CA model upon which TLS has depended is fundamentally vulnerable[.] and, in 1.2: [.]Given that the DNS administrator for a domain name is authorized to give identifying information about the zone, it makes sense to allow that administrator to also make an authoritative binding between the domain name and a certificate that might be used by a host at that domain name. The easiest way to do this is to use the DNS, securing the binding with DNSSEC. Ah, .. i see TLSA in heavy use on the internet. So, in my humble opinion, no "CA problem shifts", but domain drivers are given the right for a self-determined life. That is real freedom even, no matter if US american, Italien, Chinese or North Korean. Period. Btw i want to shamelessly quote a message from the lua-l mailing list as of today -- they have to find a new host, read this: Also where on the managed vs unmanaged spectrum: Pepperfish mostly provided a managed service: the Lua team never needed to be involved in the administration of running an MTA or list server, for example - this is a huge amount of effort these days (not least due to the defederation that has been happening over the past few years) and one of the reasons why Pepperfish is going away. See this? "Huge amount of effort", i whole-heartly agree!! Decade old human efforts are shut down because of the mess. Maybe someone should point them to GoogleGroups, or another giant? (Lua is a small embeddable scripting language which is used by many projects, also in-operating-system-kernel.) No no! No!! So whereas intellectually penetrated all-inclusive engineer solutions demand respect, and shed a light of brilliance on certain members of this list -- i personally do not stand back doing so, i even admire some of those solutions which exceed my own logic capabilities, a reflection on whether possibly over-engineering has spread out may be due. No.. is due. Imho. I understand that monetary interests are involved. I personally REFUSE the outsourcing of all email service of universities and such to GMail, you know, show me the spy balloon i can shoot, with selfie! I mean come on, email service? Shouldn't that be easy? No, enabling individuals to life a self-determined life shall be on the agenda, and has left it for email long ago. No. Thank you, and a nice weekend i wish, if you can. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim