Remember the threads¹² about #LetsEncrypt removing a crucial key usage from certificates issued by them in predictive obedience to their premium sponsor Google?

We were at first concerned about #SMTP. While I had lived through this problem with #StartSSL by #StartCom back in 2011, I only had a vague recollection of Jabber but recalled in detail that it broke server-to-server SMTP verification (whether the receiving server acted on it or just documented it).

Well, turns out someone now reported that it indeed breaks #XMPP entirely: https://community.letsencrypt.org/t/do-not-remove-tls-client-auth-eku/237427/66

This means that it will soon no longer be possible at all to operate Jabber (XMPP) servers because the servers use the operating system’s CA certificate bundle for verification, which generally follows the major browsers’ root stores, which has requirements from the CA/Browser forum who apparently don’t care about anything else than the webbrowser, and so no CA whose root certificate is in that store will be allowed to issue certificates suitable for Jabber/XMPP server-to-server communication while these CAs are the only ones trusted by those servers.

So, yes, Google’s requirement change is after all breaking Jabber entirely. Ein Schelm, wer Böses dabei denkt.

While https://nerdcert.eu/ by @jwildeboer would in theory help, it’s not existent yet, and there’s not just the question of when it will be included in operating systems’ root CA stores but whether it will be included in them at all.

Google’s policy has no listed contact point, and the CA/B forum isn’t something mere mortals can complain to, so I’d appreciate if someone who can, and who has significant skills to argument this in English and is willing to, to bring it to them.

① mine: https://toot.mirbsd.org/@mirabilos/statuses/01JV8MDA4P895KK6F91SV7WET8
② jwildeboer’s: https://social.wildeboer.net/@jwildeboer/114516238307785904

System Administration

Week 8, HTTPS & TLS

After discussing HTTP in the previous week and seeing how we used STARTTLS in the context of #SMTP, we are now quickly reviewing HTTPS, TLS, and the WebPKI. While we don't have a video segment for this, here are slides, including this handy diagram illustrating the CSR process:

https://stevens.netmeister.org/615/08-https.pdf

#SysAdmin #SRE #DevOps #TLS

System Administration

Week 8, The Simple Mail Transfer Protocol

Shared by a student of mine: Email vs Capitalism, or, Why We Can't Have Nice Things, a talk given by Dylan Beattie at NDC Oslo 2023. Covers a lot of our materials and adds some additional context.

https://youtu.be/mrGfahzt-4Q

#SysAdmin #DevOps #SRE #SMTP

System Administration

Week 8, The Simple Mail Transfer Protocol

In this video, we begin our discussion of E-Mail by looking at the components of the larger mail system (the Mail User Agent, Mail Transfer Agent, Mail Delivery Agent, Access Agent); we observe the packets involved in a simple #SMTP exchange and track an email from one system to the other, both through the logs and on the wire, before we then learn to speak SMTP via telnet(1).

https://youtu.be/Ai8rjqelwsI

#SysAdmin #DevOps #SRE

System Administration

Week 8, The Simple Mail Transfer Protocol, Part II

In this video, we observe the incoming mail on our MTA, look at how STARTTLS can help protect information in transit, how MTA-STS can help defeat a MitM performing a STARTTLS-stripping attack, and how DANE can be used to verify the authenticity of the mail server's certificate.

https://youtu.be/RgEiAOKv640

#SysAdmin #SRE #DevOps #smtp #tls

System Administration

Week 8, The Simple Mail Transfer Protocol, Part III

In this video, we look at ways to combat Spam. In the process, we learn about email headers, the Sender Policy Framework (#SPF), DomainKeys Identified Mail (#DKIM), and Domain-based Message Authentication, Reporting and Conformance (#DMARC). #SMTP doesn't seem quite so simple any more...

https://youtu.be/KwCmv3GHGfc

#SysAdmin #SRE #DevOps