Subj : BINKP over TLS To : Alexey Fayans From : Alan Ianson Date : Wed Dec 18 2019 05:12 pm Hello Alexey, AF> I believe Michael Dukelsky (2:5020/1042) is the last active binkd AF> developer. He is next on my list, I didn't realize he was the only developer. I don't yet have enough to reach out and ask him myself. I know I want to be secure but I don't know the best way to go about that. He may very well have better ideas than I do anyway and I am happy enough that we are having this discussion. AF> I've already expressed my ideas, but here's a summary: AF> 1. STARTTLS is the best option because: I have read and agree with your reasons for wanting to use STARTTLS. I don't think STARTTLS is what we want today. In the early going of TLS it was probably the only way forward since there were many destinations that did not support TLS, that is not the case today. I don't read of anyone adopting STARTTLS today, only depricating it. AF> 1.1. It works on the same port and therefore will be adopted way AF> faster. 1.2. Can work out of the box without additional configuration. AF> 1.3. Requires significantly less software modified. AF> 1.4. Not less secure than TLS on a dedicated port because it is AF> possible to announce TLS support via nodelist. 2. For any kind of TLS AF> something must be decided on certificate authority. 2.1. We can use AF> internet CAs, but this will require additional binding of fidonet AF> address to internet domain, probably, via nodelist. Doesn't look AF> shiny. 2.2. We can have own CA but this makes fidonet more AF> centralized, we will also have to define a secure way of issuing and AF> delivering certificates. I do agree with your reasons for STARTTLS, they are good reasons. If binkps over TLS was implemented today I think implicit TLS is the way to do it. We need a binkps listener on port 24553 (or the post you intend to use) and a way to start a poll to such a listener. I would be willing to test TLS with you if you like, even using STARTTLS. If we got some testing under our belt we could discover what works and what doesn't and be in a better position to give feedback to the binkd developer(s). Ttyl :-), Al --- GoldED+/LNX 1.1.5-b20180707 * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757) .