Re: Updated recommendations regarding TOFU & TLS

• 🗣️ From: nervuri (nervuri (a) disroot.org)
• 📅 Sent: 2021-04-04 19:02
• 📧 Message 47 of 47

On Thu, 2021-03-04, Drew DeVault wrote:
> Hello! I have recently announced some upcoming changes to my Gemini
> software implementations with respect to TLS and TOFU:
> 
> https://lists.sr.ht/~sircmpwn/gmni-discuss/%3CC9OP7IK9T9EP.15EOEOOS7QSB9%40taiga%3E
> 
> I've also updated my older TOFU recommendations article to reflect the
> changes:
> 
> gemini://drewdevault.com/2020/09/21/Gemini-TOFU.gmi

A few observations:

1. Not storing the port means that the client can't adequately support
different certs being served on different ports.  You can test with:

wikipedia.geminet.org
wikipedia.geminet.org:1966


2. Not storing the expiration timestamp means that the client can't
issue a less scary warning when it receives a new cert after the old one
expired (or when it's about to expire).

Solderpunk argued in favor of clients using expiration dates, for ex:
gemini://gemi.dev/gemini-mailing-list/messages/002101.gmi

> I guess I see the main utility of explicit expiration dates in this
> context as being a kind of promise from the sever admin that "I have no
> plans to do a key rotation for about this length of time".  This means
> that apparent MITM attacks happening at a time when there's a lot of
> validity left can be treated with much higher suspicion.


3. A cert can be renewed without changing its public key, so storing a
hash of the SPKI (SubjectPublicKeyInfo) instead of the entire
certificate means potentially less unnecessary warning messages for
users.  Here's the OpenSSL command to extract the SHA512 hash of the
DER-encoded SPKI:

openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl 
dgst -sha512 -binary | openssl enc -base64 -A

I used base64 at the end to get a shorter string.

And here's the command one would use to renew a cert without changing keys:

openssl req -new -x509 -key private_key.pem -out new_cert.pem -subj 
"/CN=example.com" -days 36500

It generates a certificate valid for 100 years using the old key.
Amfora uses the SPKI, so it wouldn't raise a warning about this new cert.

---

Previous in thread (46 of 47): 🗣️ Petite Abeille (petite.abeille (a) gmail.com)

View entire thread.