Question about TLS certificate policy

1. Ryan Westlund (rlwestlund (a) gmail.com)

I've been reading about Gemini and part of me likes the decision to
abandon certificate authorities in favor of TOFU, but I have a
question about how this works. The Gemini specification says:

> If the certificate is not the one previously received, but the previous 
certificate's expiry date has not passed, the user is shown a warning, 
analogous to the one web browser users are shown when receiving a 
certificate without a signature chain leading to a trusted CA.

Doesn't this mean that the replacement certificate must be deployed at

ahead of time, users will see errors? And users will see errors if you
are late to replace it?

Link to individual message.

2. Adnan Maolood (me (a) adnano.co)

On Mon Nov 9, 2020 at 7:06 AM EST, Ryan Westlund wrote:
> I've been reading about Gemini and part of me likes the decision to
> abandon certificate authorities in favor of TOFU, but I have a
> question about how this works. The Gemini specification says:
>
> > If the certificate is not the one previously received, but the 
previous certificate's expiry date has not passed, the user is shown a 
warning, analogous to the one web browser users are shown when receiving a 
certificate without a signature chain leading to a trusted CA.
>
> Doesn't this mean that the replacement certificate must be deployed at
> *exactly* the right time to avoid errors? If you deploy it even a day
> ahead of time, users will see errors? And users will see errors if you
> are late to replace it?

Yes, it does. Some servers automatically generate certificates to avoid
this issue, ensuring that an expired certificate is never used.

Link to individual message.

---

Previous Thread: Statement of intent regarding TLS server name identification (SNI)

Next Thread: Serious writing (in the Latin script) needs italics