The Grumpy Troll

Ramblings of a grumpy troll.

PGP & TLS updates

Some changes in local anchors and identity. PGP I am now completely cut over to using my PGP key generated in 2013, as a 4096-bit RSA key, to replace the previous 1024-bit DSA keys from long ago. The new key, 0x4D1E900E14C1CC04, is in the strong-set: I took care to ensure that was the case before cutting over to it. It has been signed by both my older keys, with a Signature Policy URL which ends /self and the text retrieved therefrom asserts that it’s an “it’s me” binding.


Four miscellaneous things

Four small things, none on their own worthy of a blog post; the first three are debugging notes from the past week or so and the last is … stunned admiration for PR skill. First up: FreeBSD Jails and nullfs and ZFS ZFS is very handy in FreeBSD 10, where you can now boot from ZFS. Note though that zfs maintains its own internal mapping of where names should be mounted, used via zfs mount -a in /etc/rc.d/zfs.


XMPP & DANE with Prosody

Last night (or very early this morning), the XMPP service for (this grumpy troll’s primary domain) received an upgrade. TLS trust verification for outbound connections can now be performed via DANE lookups. DANE is a mechanism, using DNS, DNSSEC and a TLSA record type, to provide verifiable information in DNS about the trust anchors for reaching a particular service, such that verifying the certificate or public key identifying the remote end of a TLS connection need only rely upon the data in the DNS.


Golang, TLS & Comodo

Had an interesting spot of debugging today, which highlighted a few issues. One of them is my “Oh, I knew about that feature, interesting to see how it interacts here.”, which might cause some programmers to chuckle darkly. One server component which my employer maintains talks to a third-party API for an ancillary service; this is over HTTPS with secret API keys. All certificates and hostnames are validated, etc. Recently, the connectivity broke.


DMARC Stance

DMARC is in the email tech news once more, following Yahoo’s decision to publish a DMARC policy on some of their domains, telling recipient systems to reject mails which do not have valid origin information. I’ve previous written here about DMARC in the context of its privacy implications, covering mailing-list disclosures and then revisiting, for bug interactions making matters worse. In addition, my name has come up in various circles because of a patch to Mailman which I contributed to.