Subj : BINKP over TLS
To   : Alan Ianson
From : Alexey Fayans
Date : Wed Dec 18 2019 01:32 pm

Hello Alan!

On Tue, 17 Dec 2019 at 15:02 -0800, you wrote to me:

 AI> If you have ideas around security in binkd I would send them directly
 AI> to one of the binkd developers. Alexey Vissarionov is someone active
 AI> in Fidonet and is a binkd deveolper I think. That might be a good
 AI> place to start.

I believe Michael Dukelsky (2:5020/1042) is the last active binkd developer.

I've already expressed my ideas, but here's a summary:

1. STARTTLS is the best option because:
1.1. It works on the same port and therefore will be adopted way faster.
1.2. Can work out of the box without additional configuration.
1.3. Requires significantly less software modified.
1.4. Not less secure than TLS on a dedicated port because it is possible to 
announce TLS support via nodelist.
2. For any kind of TLS something must be decided on certificate authority.
2.1. We can use internet CAs, but this will require additional binding of 
fidonet address to internet domain, probably, via nodelist. Doesn't look shiny.
2.2. We can have own CA but this makes fidonet more centralized, we will also 
have to define a secure way of issuing and delivering certificates.


.... Music Station BBS | https://bbs.bsrealm.net | telnet://bbs.bsrealm.net
--- GoldED+/W32-MSVC 1.1.5-b20180707
 * Origin: Music Station | https://ms.bsrealm.net (2:5030/1997)

.