On Sun, Feb 28, 2021 at 08:27:26PM +0100, C?me Chilliet <come at chilliet.eu> wrote a message of 32 lines which said: > The certificate trust is one of the weak point of the current > specification I think, and it would need to be clarified. I agree with your statement. With the new issue tracking system that Sean configured, this is ticket #5 <https://gitlab.com/gemini-specification/protocol/-/issues/5>. > Secondly, there is the good old CA system, nowadays mostly using > letsencrypt. It seems badly supported in most clients which still > use TOFU in this case and will complain at each renewal. More precisely, each renewal, BY DEFAULT. But Let's Encrypt lets you request that we keep the public key, and then TOFU will still work iff it acts on the public key only. If you use the ACME client dehydrated, this is in the configuration file: PRIVATE_KEY_RENEW="no" With the ACME client certbot, this is an option on the command-line: --reuse-key > A third possibility I think would be to use DANE and base validation > on the DNS system, but I?ve not seen anyone advocating this, is > there anything wrong with that idea? This is certainly the best solution, technically speaking. Unfortunately, adding DANE support to your Gemini client typically requires some effort, the existing libraries are typically not sufficient. (Full disclosure: I did not even add DANE support to my own Gemini client, despites the fact I'm strongly pro-DANE.) Also, the Internet is very ossified by broken middleboxes (typically firewalls but not only them) and TLSA requests may be blocked (or, worse, any DNSSEC use, which DANE requires). This is something to keep in mind. > I?m failing to see how TOFU can provide any security, especially if > there is no way to announce a renewal by sending both new and old > cert or something, there is a MITM possibility at each renewal. The > only TOFU example I?ve seen cited is openssh, which seems offtopic > because you usually do not ssh into random machine on the internet > by following links like you do with Gemini. I fully agree. TOFU is great for SSH but Gemini is completely different.
---
Previous in thread (10 of 19): 🗣️ Petite Abeille (petite.abeille (a) gmail.com)
Next in thread (12 of 19): 🗣️ Stephane Bortzmeyer (stephane (a) sources.org)