Sort out our domains

[callahad]

Assigning to @buro9, since I recall you bought some domains for us.

Questions to figure out:

• [x] What domains do we (you) have?
• [x] How should we go about setting those up and ensuring a bus factor > 1?

[grafana-dee]

A list:

• portier.io
• letsauth.io
• letsauth.net
• letsauth.org

Registrar for all of the above is my personal Gandi account. DNS for all of the above is my personal CloudFlare account.

There's no good answer for either Gandi or CloudFlare accounts being owned by more than one person, both support degrees of multi-user but ultimately both have the concept of a single owner.

I'm happy to set up a new Gandi account and a new CloudFlare account, and then to move all of the above domains to them, and finally to share the credentials for those new accounts with a few people via LastPass.

Issue with that: Shared credentials means no 2FA on those accounts... not sure how to get around that. Perhaps this is acceptable?

[djc]

In the end, 2FA is also just a shared secret. Why couldn't that work? I.e. you could save the QR code and recovery codes and share them through a private channel.

[grafana-dee]

That would work for the Gandi secret, not sure that the CloudFlare one works the same as CloudFlare use Authy. But hey... could drop CloudFlare and use Gandi DNS, we only need the domains available to more than just myself.

Next question then, any Domain owner has to be a legally verifiable entity, an individual or association or company, etc.

Should I set up another personal account, and I'm still the legal owner effectively, just for the credential sharing capability? Or are we going to have a legal entity I should use instead?

[djc]

I think it'd make sense to have you as the legal owner for now. Once Portier finds a legal home (i.e. I would think in the direction of the Software Freedom Conservancy or similar), we can always transfer legal ownership.

[callahad]

All of the above sounds good to me. :shipit:

[grafana-dee]

The new Gandi account has been setup with a long password and 2FA enabled.

I have for your good selves:

1. Gandi username
2. Password
3. 2FA seed (and QR image)

If you guys have https://keybase.io/ accounts I will encrypt the above and them to you via that. If you need invites I have some, and you can add me on there: https://keybase.io/buro9

I'm happy to share DNS info with callahad, djc, stavros and onli . A bus factor of 5 is pretty solid. I already have stavros on Keybase.

The domain transfers to the new account are in progress.

[grafana-dee]

All domains have now been transferred.

Could each of the following confirm you're happy to receive domain account credentials and if so, your Keybase username: @skorokithakis ( https://keybase.io/stavros ) @onli @callahad @djc

[skorokithakis]

Yep, that's mine! I'm good for credentials, I'll keep the encrypted email.

[callahad]

I'm https://keybase.io/callahad. Or I will be, once I finish relearning GnuPG. Working on that now.

[onli]

I'm https://keybase.io/onli

[grafana-dee]

People who have the encrypted credentials for the domain names

• [x] onli
• [x] stavros

Bus factor of 3.

[callahad]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alright, I've generated a new master OpenPGP key with fingerprint:

    45A9 53A2 E442 7B8A 68D1  7CED 6E4A 6E96 560C 0D96

I've pushed it to the pgp.mit.edu keyserver, which you can see at:
http://pgp.mit.edu/pks/lookup?search=0x45a953a2e4427b8a68d17ced6e4a6e96560c0d96&op=vindex&exact=on

I've also completed a bunch of confirmations at https://keybase.io/callahad
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXtS7RAAoJEI1t1xPp66f9+tsP/RFSwgCg1fdrjUR4d+NHu8Pd
CILgXyxUrSdMD/B46HJSlS48I7w6vzRqBVMjfPxgMRi13MA3Bs4R4ia+91gIpivw
worMqWiLDYhex0kGvoU9m/eRSFb0oav0scqIsJc4ZkRuV+IN+PbUX3KUcW+tdceH
30SjMsWMOoXBIbm6IJqPfS2MFgYQXNXsxsfR2zXO6x7F/mJ+UYCKvYT3Qd/GgxAa
MmsKM/4Pw42ayXbybQt8gJb4MILbwKSjbvYrsxi+iPVm5YFde98em6dQ8IORpT7J
IGDW+BDBkDcXrTvesUv/7Ju3Zh3RT0B5+HDrff49u6sik7JvCEzRzPtQITqlIuHk
jvUqqXom86je1883va40LxFI+kEQ8o+793Pi8Lnvp1ttVdvIEMkWMEcAh5cb+DYB
bCrRwYt42E4Z2hj/MZKdyONuL/P1xJVWVBeVupBEedEoRi3MB6RMV+Cw0M8lH7E+
6abtCAkWyGd8MxnkW9vps2U2YxSNz39CsbKpTuJBLx7N6NUpGPcQLVHHASdh6TpS
FMMzVt7H5nTxKkPpgZhFlFhg5/yspykrRmud7GPnyd+bt6pUIP4e86t++mawTo9/
MterBABWCYGPGoM+8sarpt3Pp+cs6duRSwUf/2pUjenkjfhb9h/3lnURf+M63vRR
2KqWzaazb4ZLshmX30mx
=rISq
-----END PGP SIGNATURE-----

[djc]

I'm https://keybase.io/djc.

[grafana-dee]

People who have the encrypted credentials for the domain names

• [x] buro9
• [x] onli
• [x] stavros
• [x] callahad
• [x] djc

Bus factor of 5.

The email sent to each of you, encrypted using Keybase, contains all of the details and is enough by itself.

However for convenience I've also uploaded the 2FA QR image to the keybase shared folder for each of you (if you have the Keybase binary installed rather than using the website you can access the private folder). This is only if you like scanning QR codes, the text message included the 2FA seed anyway.

I believe that this ticket is now closed.

[grafana-dee]

Actually... where do we want to point portier.io? To a github page, or hosted somewhere so that we run an instance of Portier?

If the latter, I don't mind paying for server instances somewhere if someone else would like to ops them.

[djc]

For now, I have the broker running on my server, which should be okay for now. What about CNAMEing broker.portier.io to portier.xavamedia.nl for now?

I've also already worked on an EC2 server that would be able to run this thing. However, not really sure I'd like to be paying for that long-term.

[grafana-dee]

Can be done if you're willing to set up a TLS cert on portier.xaviermedia.nl for broker.portier.io so that SSL can be enabled.

[djc]

Yeah, can you set up the pointer? I need to redo Let's Encrypt validation anyway, and I can trivially include both domain names in the certificate that way.

[grafana-dee]

Current DNS settings (in Gandi, using Gandi DNS):

@ 10800 IN A 217.70.184.38
broker 10800 IN CNAME portier.xaviermedia.nl.
@ 10800 IN TXT "v=spf1 -all"
_dmarc 10800 IN TXT "v=DMARC1; p=none; rua=mailto:z3qirov9@ag.dmarcian-eu.com;"

The A address is the Gandi default.

I've set the SPF to "sends no email" as that is currently true, will revisit when we start sending email. I've added DMARC reporting to my dmarcian account to see whether anyone does try sending email on this domain (for info, every domain has people spoofing it for email, SPF and DKIM are the only defences, DMARC is the only visibility into it).

Still leaves the question of what to do with the apex A record, perhaps that is a Github pages thing.

[djc]

Err, sorry, I mistyped: it's xavamedia, not xaviermedia.

The broker does send email for email addresses that don't have an IdP. We can use my server (xavamedia.nl) as the MTA for now, as well.

[grafana-dee]

Updated, 3 hour TTL so you may not see it for a while:

@ 10800 IN A 217.70.184.38
broker 10800 IN CNAME portier.xavamedia.nl.
@ 10800 IN TXT "v=spf1 -all"
_dmarc 10800 IN TXT "v=DMARC1; p=none; rua=mailto:z3qirov9@ag.dmarcian-eu.com;"

[djc]

Okay, broker.portier.io is working now.

[djc]

(Also, I was able to login to Gandi successfully, so that worked according to plan!)

[callahad]

I've configured Gandi's redirection service to 302 FOUND from http://portier.io/ to https://portier.github.io/

I think we're set here :)