Re: [Mailsec] [Extra] Advanced ("Modern & Secure") Email Authentication

Steffen Nurpmeso <steffen@sdaoden.eu> Thu, 26 August 2021 16:29 UTC

Return-Path: <steffen@sdaoden.eu>
X-Original-To: mailsec@ietfa.amsl.com
Delivered-To: mailsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D47AF3A08D7; Thu, 26 Aug 2021 09:29:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZcmrDkxLxnL; Thu, 26 Aug 2021 09:29:02 -0700 (PDT)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E97DA3A09FC; Thu, 26 Aug 2021 09:22:45 -0700 (PDT)
Received: from kent.sdaoden.eu (kent.sdaoden.eu [10.5.0.2]) by sdaoden.eu (Postfix) with ESMTPS id 61F5D16056; Thu, 26 Aug 2021 18:22:42 +0200 (CEST)
Received: by kent.sdaoden.eu (Postfix, from userid 1000) id 98DD8C98; Thu, 26 Aug 2021 18:22:40 +0200 (CEST)
Date: Thu, 26 Aug 2021 18:22:40 +0200
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: Michael Peddemors <michael@linuxmagic.com>
Cc: extra@ietf.org, Michael Slusarz <michael.slusarz=40open-xchange.com@dmarc.ietf.org>, mailsec@ietf.org, Steffen Nurpmeso <steffen@sdaoden.eu>
Message-ID: <20210826162240.oxpLH%steffen@sdaoden.eu>
In-Reply-To: <dd80a3ac-90f9-e7f0-7b64-7771f677fa49@linuxmagic.com>
References: <1898235280.14467.1629960434945@appsuite.open-xchange.com> <dd80a3ac-90f9-e7f0-7b64-7771f677fa49@linuxmagic.com>
Mail-Followup-To: Michael Peddemors <michael@linuxmagic.com>, extra@ietf.org, Michael Slusarz <michael.slusarz=40open-xchange.com@dmarc.ietf.org>, mailsec@ietf.org, Steffen Nurpmeso <steffen@sdaoden.eu>
User-Agent: s-nail v14.9.22-175-gc118a4a5c7
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
Archived-At: <https://mailarchive.ietf.org/arch/msg/mailsec/aU2q0rn-Z89b_UdouQymrGGNkB4>
Subject: Re: [Mailsec] [Extra] Advanced ("Modern & Secure") Email Authentication
X-BeenThere: mailsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email Security Issues <mailsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mailsec>, <mailto:mailsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mailsec/>
List-Post: <mailto:mailsec@ietf.org>
List-Help: <mailto:mailsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mailsec>, <mailto:mailsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2021 16:29:08 -0000

Michael Peddemors wrote in
 <dd80a3ac-90f9-e7f0-7b64-7771f677fa49@linuxmagic.com>:
 |Hi Michael,
 |
 |For the record, there is a new (relatively) mailing list that has low 
 |volume, but I might suggest that this discussion belongs on that list.
 |
 |"mailsec@ietf.org"
 |
 |It is a good topic for that list.  I heard about this initiative, and it 
 |seems interesting, and while I am still not convinced that utilizing our 
 |CLIENTID addition to the protocols belongs in some of the ideas..
 |
 |"The goal is to educate on the interplay between already existing
 |standards like Email SRV records (RFC 6186), OAUTH/OpenID autodiscovery
 |in SASL (RFC 7628), and expected authentication flows in the various.. "
 |
 |I do think it is an important topic, give the very real and present 
 |dangerous problems surrounding email authentication.

What a terrible sedition is that again, i wonder why that hate
speech always comes up again and again, and is allowed on public
lists.  While big players have not managed it to protect their
users by offering S/MIME or OpenPGP as part of their business,
still.  Really, i am so pi..ed by this, over and over again.
'Tell you what, i opened a PayPal account just a few weeks ago,
and i can tell you how easy it is when money is waving hello.

Luckily i have cold security on this box (Luks2), as well as warm
security (encfs on top, passwords in that PGP encrypted on top),
as well as hot security (slock on LID close, encfs umount on LID
close, ssh-agent key DB drop on LID close).

'Tell you what, i just wanted to get an OAuth verification for a
Unix console application, and it is just a chicanery.  You need to
create a youtube video to visualize things ... that this console
program just does not have!  I gave them a still frame like so

    #?0!0/NONE#|sn_gm:/var/spool/mail/steffen? File imap
  [I contact GMail]

    You need a passphrase to unlock the secret key for
    user: "Steffen Nurpmeso <steffen@sdaoden.eu>"
    4096-bit RSA key, ID A57802DD, created 2017-11-30 (main key ID 1883A0DD)
  [On the cold-security unlocked hard disk partition, on the
  cold/warm unlocked encrypted directory, there is a OpenPGP
  encrypted file where the passwords are stored.
  This file is unlocked here, the password comes from an agent
  running concurrently to the session you see]

    #?1!22/INVAL#|sn_gm:imaps://sdaoden@imap.gmail.com/INBOX?
  [We are now connected to GMail.  There is no mail]

So hey, support free projects which provide secure password
stores, i have heard you even donate a bit to keep TLS alive and
living!  Thank you!!  We have one major TLS, and a single major
PGP implementation on this earth -- thank you!!!!

Support standardized secure email containers.

Support refreshing of authentication tokens via normal TLS
transport, instead of requiring HTTPS that is HTTP 1.1 today, 1.2
tomorrow and 1.3 a day later.  Even omnipresent cURL that gets
a bit of donation i have heard slurps in support for 1.2 and 1.3
via external libraries because it is such a huge pile or work!
Even if there is relation in between the major head and QUIC, no?

Support EXTERNAL authentication, support CMS, support
authentication that interacts with security tokens.  Support live
refresh of certificates inside a TLS connection authenticated via
EXTERNAL.  Hey, support per-user server TLS certificates shipped
alongside the EXTERNAL certificate for the user, so that there is
a true and real point-to-point connection.

Or hey, create your own better-email that _you_ can make money
with?

All i want to use is my passport that comes from my country by the
way.

'Tell you what, i do not have any apps on the (used) smartphone
i have.  Hey, but do not ask me why.

And what do you mean with insecure?  My bank account uses
a four-digit PIN.  How secure is that???

Really.  You may feel cool when singing this sedition over and
over again, and it may bring you forward in your job.
Other than that .. really not.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)