Hat hier wer Connections zur IT-Abteilung von aok.de? Die haben gestern das SSL-Zertifikat ihres mx1.aok.de getauscht, aber den TLSA-Record für DANE übersehen...
https://dane.sys4.de/smtp/service.bw.aok.de
20:00 Uhr: geht wieder! Danke :)
Another #prosody release and another smooth upgrade. This one's a biggie, the 0. versioning has been dropped !
There's some additions for #DANE and channel binding, which I should look into. Also more granular permissions, which will surely be useful for deployments bigger than mine.
Downtime was also short enough to not trigger the uptime monitors.
I see even the bookworm-backports package is updated. https://blog.prosody.im/prosody-13.0.0-released/
#xmpp #selfhosting
Why Denmark dominates the World Happiness Report rankings year after year https://www.byteseu.com/779241/ #dane #denmak #Denmark #Economics #Finance #happiness #income #lifestyles #Politics #sweeps #TheConversation #U.S. #wire #WorldHappinessReport
Fixing the PKI Mess: CAA + Your Own CA via DNS
Right now, any CA can issue a certificate for your domain. Even if you set a CAA record (`issue "letsencrypt.org"`), it only controls *who* can issue, not what cert is valid. This is broken.
What if we could fix this using DNS?
#Introducing CAA+CA Fingerprint: Self-Sovereign Certificate Authority
Instead of just saying *which CA can issue*, you publish your own CA's fingerprint in DNS. If your CA issues a cert for `awesomecars.com`, browsers should validate it against the DNS-published CA key.
How It Works
You run your own CA (because why trust the cartel?). You then publish: 
A CAA record specifying your own CA (with a fingerprint! ) 
A DNS record with your CA’s public key (like DKIM but for TLS!)
Example DNS Setup for `awesomecars.com`:
```
awesomecars.com. IN CAA 0 issue "pki.awesomecars.com; sha256=abcd1234..."
pki.awesomecars.com. IN CERT 6 0 0 (--BEGIN CERTIFICATE-- ....)
```
Now, only certs signed by your CA are valid for `awesomecars.com`, even if another CA is tricked into issuing a rogue cert. No more CA hijacking!
Why Is This Better Than the Current CA Model?
Self-Sovereign Identity: If you own the domain, you should own its PKI. Prevents Rogue Certs: No government or rogue CA can fake a cert for your domain. Works Like DKIM for Email: Your CA’s public key is stored in DNSSEC-protected records, just like DKIM keys for email signing. No More External Trust Issues: You control your CA entirely, instead of relying on Google’s CA store. Perfect for Self-Hosting & Internal Networks: No need for external CA trust—your DNS is your trust model.
Why Isn’t This a Thing Already?
Big Tech hates this idea because it removes their control: 
Google wants Certificate Transparency (CT), where they control which certs are logged. Commercial CAs make $$$ selling certs. This kills their business. DNSSEC adoption is intentionally kept low by the same companies who don’t want this to succeed.
Browsers refuse to support TLSA for the same reason—they want centralized CA trust, not self-hosted PKI.
Who Needs to Implement This? Self-hosters & Homelabs: Use this for your own infrastructure. Email providers: Stop relying on public CAs! Privacy-focused projects (Tor, Matrix, XMPP, Fediverse, etc.): A true decentralized PKI alternative. Fediverse devs: Let’s push for DNS-based CA validation!
What do you think? Would you trust your own CA in DNS over some random commercial CA?
Boost this if you want a decentralized PKI revolution!
This keeps the focus on self-hosting your own CA, highlights the security flaws of current PKI, and calls out Big Tech’s resistance to decentralized trust.
As an #American I must educate you as to recent territorial claims
The last #Dane to rule #England was Harthacnut because Edward the Confessor stole the title from his successor Magnus
Thus all governments of #Britain since then are illegitimate and Denmark is still rightful ruler of the #BritishIsles
Secondly the #AmericanRevolution was an illegal war of independence. Thus the #USA is still a territory of the #UK
Ergo, the #US is in reality owned by Denmark
Glad to clear this up
heise+ | Security: Wie Microsoft den Mailtransport mit DANE schützt
Microsoft hat seine Maildienste erst kürzlich mit der DNS-basierten Sicherheitstechnik DANE ausgestattet – aus triftigen Gründen.
LOLOLOL
I just got it into my head to set up #DANE for my vanity domain #mail server. I have a vague recollection of starting on that and not really finishing...
So I go to one DANE validator and it says I'm already good.
I go to another DANE validator and IT says I'm already good.
So, apparently all I ever *needed* to do was to add TLSA records, and I did that some time ago thinking it was a harmless first step rather than all I really needed.
#DNSSEC and #DANE should not replace the established #TLS certificate authority system, because it would undermine end-to-end encryption between client and server, but I do believe that DNSSEC/DANE serve a legitimate role: preventing #DNS spoofing by third parties, i.e. proving that a DNS record really comes from the correct name server.
And in order to keep DNS requests private, DoH/DoT/DoQ should be the default.
@letoams @soatok Hmm, perhaps we could map SSH keys identity to people very similar way as OPENPGPKEY record in #DANE, but with #SSHFP instead. We could reuse the algorithm for owner name creation, just use different record. But does not match how I use my SSH keys. I have each per machine, not one per person. I think I do them how I should, right?
Microsoft beveiligt e‑mail met #DANE op verzoek van Nederlandse overheid: https://www.forumstandaardisatie.nl/nieuws/microsoft-beveiligt-e-mail-met-dane-op-verzoek-van-nederlandse-overheid
Działacze anti-choice zdobyli dane ludzi odwiedzających kliniki aborcyjne, niemieccy dziennikarze – dane osób związanych z bezpieczeństwem narodowym. Jakie informacje posiadają brokerzy danych i z kim się nimi dzielą?
https://techspresso.cafe/2024/10/18/czy-dane-lokalizacyjne-stanowia-zagrozenie-dla-kobiet/
The Internet Security Days 2024 marked the starting point for a new effort by eco and @bsi to raise adoption of modern email security standards across Germany and worldwide. I'm honored that I was allowed to shape some of the contents of this great event and mailsecurity is finally getting the attention it deserves 
https://international.eco.de/news/internet-security-days-2024-it-security-for-email-ai-and-nis2/
This morning with the background of the Capitol in #Madison #Wisconsin. VP #Kamala #Harris is expected to hold a rally in #Dane county from 3-7pm (CDT) #elections #politics #democracy #SwingStates
“Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online“, https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-public-preview-of-inbound-smtp-dane-with-dnssec-for/ba-p/4155257
#DANE #DNSSEC
Changes at @letsencrypt affecting mail servers using DANE-TA(2) with LE certificates:
- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
- https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/ZTM3XQMI3XP7PWMWJTXBYDPVU4UENE24/
#DANE #TLSA
@internet_nl Hebben jullie iets vernomen over mailservers met #DANE geconfigureerd met een #letsencrypt R11 intermediate signed cert waar #Microsoft (en alleen Microsoft) geen email meer op wil afleveren? Een voorbeeld is https://internet.nl/mail/herenstraat.nl/1272691/
Bill Cole 
