On Mon, 15 Dec 2025, Thomas Bohl wrote:
provided dina's tls cert, so both hosts were authentified, and the
connection could not be anymore secure.
Warning: You don't have authentication between blackblock and dina! (That is
why you need 2603:c026:306:9211::300 in your <localnet> table.) Even with
"verify". All that does is: "Yep, I know and trust that CA."
Authentication is a different "beast". Whether you want or need to introduce
it is another topic. Just remember for now, that the transactions are not
authenticated.
Here's what I do with opensmtpd for peer to peer email: use a
"crypto-mesh" IPv6 VPN like cjdns or yggdrasil. The raw IPs are
authenticated, every IP is a hash of a pubkey, and the packets between
IPs travel over a TLS session using the pubkeys of the IPs.
That way, you get encrypted transfer and authentication with no reliance
on ICANN DNS or the CAB forum (that votes on the CAs trusted in
mainstream browsers by default). Zero spam. Opensmtpd config has
changed slightly since I wrote the article, but here is the idea:
https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/
For a larger group (where listing all the crypto-mesh ips becomes
cumbersome), create a private TLD with private CA, and hand out domains
to your peers. Also zero spam.
