TID: FMail-W32 2.1.3.7-B20170919   
   RFC-X-No-Archive: Yes   
   TZUTC: 0100   
   CHRS: CP850 2   
   MSGID: 2:280/5555 5df8a7b8   
   REPLY: 1:153/757 5df812a1   
   Hello Alan,   
      
   On Monday December 16 2019 14:59, you wrote to me:   
      
    MV>> 1) Don't fix it if it ain't broke. I am not convinced yet that   
    MV>> binkd's security is broke and needs fixing.   
      
    AI> I don't think binkd or the binkp protocol are broken and need fixing.   
      
   Then what problem ARE we trying to fix?   
      
    MV>> I am not convinced that TLS offers better protection against   
    MV>> snooping than what binkd alread hasy. Half of TLS is providing   
    MV>> authoritative identity to the server. I don't see any value for   
    MV>> that in Fidonet. TTBOMK there has been no case of someone   
    MV>> succesfully setting up a rogue node amd maskerading for someone   
    MV>> else. If only because there is no bussines model..   
      
    AI> This has happened in the past. nobogus comes to mind.   
      
   Apples and oranges. Nobogus solved problems created by rouge CLIENTS. TLS does   
   not protect against that. It only authorises the /server/, not the /client/.   
      
    AI> TLS certainly offers better security. No question.   
      
   So you say. But merely claiming it is "better" is just like claiming aluminium   
   is "better" than copper.   
      
   In what way is TLS "better"? A claim of "better" security has to be more   
   specific than just that. Better than what? Better against what threats and by   
   whom?   
      
   If you do not specify the threat, a claim of better security is meaningless.   
      
    MV>> 2) It violates the KISS principle. I see little or no added value   
    MV>> in adding TLS to Binkd. In the case of Binkd it just makes things   
    MV>> more complicatied and prone to misconfigutaion and other mishaps.   
      
    AI> It does require some setup. Synchronet's BinkIT mailer currently has   
    AI> support for a binkps listener setup like this in Synchronet's   
    AI> services.ini   
      
   The world of Fidonet is bigger than Synchronet (Thank god). You make it sound   
   like "Synchronet supports it, so it must be a good thing". Sorry, I am not of   
   the "Synchronet is better" club.   
      
    AI> This was all done without changing binkp. We have simply put binkp on   
    AI> a secure channel.   
      
   But why? I still have no answer for that. Let me put it this way:   
      
   If binkd over TLS is the solution, what is the problem?   
      
      
   Cheers, Michiel   
      
   --- GoldED+/W32-MSVC 1.1.5-b20170303   
    * Origin: http://www.vlist.eu (2:280/5555)   
   SEEN-BY: 1/123 90/1 103/705 154/10 203/0 221/0 6 227/114 229/101 200   
   SEEN-BY: 229/354 426 1014 240/5832 249/307 317 280/464 5003 5555 292/854   
   SEEN-BY: 310/31 342/200 396/45 423/120 712/848 770/1 2452/250 5019/40   
   SEEN-BY: 5020/1042 5053/58   
   PATH: 280/5555 464 229/426