Subj : Secure binkp
To   : NuSkooler
From : Oli
Date : Wed Nov 27 2019 11:12 am

On Tue, 26 Nov 2019 19:15:02 -0700
"NuSkooler -> Oli" <0@121.1.21> wrote:

 Ol>> I would like to avoid this. This would open another can of
 Ol>> worms.

 N> Build in support for Let's Encrypt :)

For testing we can use self-signed certs. I also would prefer not to be
dependent on CAs by default. We could use trust on first use (TOFU) instead
(like SSH does by default). Ideally this would be configurable per domain,
zone, network or node/point. Of course there is also DANE.

What is still missing is some authentication of incoming connections if no
session password is configured. On the TLS level we could use client
certificates, but it would make everything more complicated and less flexible.

Maybe some new callback OPT in binkp?
 > I have mail for you, please poll my node to get it
 < Okay
 > cu, bye
or
 < Nah, just dump it, I don't care about authenticity
 > [files]
 > done, bye
or
 < I don't want it and I will not call back
 > whatever, bye

---
 * Origin:  (21:1/151)

.