Subj : Binkd and TLS To : Alan Ianson From : Michiel van der Vlist Date : Tue Dec 17 2019 10:40 am Hello Alan, On Monday December 16 2019 14:59, you wrote to me: MV>> 1) Don't fix it if it ain't broke. I am not convinced yet that MV>> binkd's security is broke and needs fixing. AI> I don't think binkd or the binkp protocol are broken and need fixing. Then what problem ARE we trying to fix? MV>> I am not convinced that TLS offers better protection against MV>> snooping than what binkd alread hasy. Half of TLS is providing MV>> authoritative identity to the server. I don't see any value for MV>> that in Fidonet. TTBOMK there has been no case of someone MV>> succesfully setting up a rogue node amd maskerading for someone MV>> else. If only because there is no bussines model.. AI> This has happened in the past. nobogus comes to mind. Apples and oranges. Nobogus solved problems created by rouge CLIENTS. TLS does not protect against that. It only authorises the /server/, not the /client/. AI> TLS certainly offers better security. No question. So you say. But merely claiming it is "better" is just like claiming aluminium is "better" than copper. In what way is TLS "better"? A claim of "better" security has to be more specific than just that. Better than what? Better against what threats and by whom? If you do not specify the threat, a claim of better security is meaningless. MV>> 2) It violates the KISS principle. I see little or no added value MV>> in adding TLS to Binkd. In the case of Binkd it just makes things MV>> more complicatied and prone to misconfigutaion and other mishaps. AI> It does require some setup. Synchronet's BinkIT mailer currently has AI> support for a binkps listener setup like this in Synchronet's AI> services.ini The world of Fidonet is bigger than Synchronet (Thank god). You make it sound like "Synchronet supports it, so it must be a good thing". Sorry, I am not of the "Synchronet is better" club. AI> This was all done without changing binkp. We have simply put binkp on AI> a secure channel. But why? I still have no answer for that. Let me put it this way: If binkd over TLS is the solution, what is the problem? Cheers, Michiel --- GoldED+/W32-MSVC 1.1.5-b20170303 * Origin: http://www.vlist.eu (2:280/5555) .