1 upvotes, 1 direct replies (showing 1)
View submission: Certificates on both sides
Now Gemini pretty much encourages TOFU
Everything on the planet is TOFU!
Just like everything on the planet is a pyramid scheme.
But I do like the "no more username and password" (atleast for mundane sites) and this should have obviously been built into the web from the start... but then people would have understood what a hoax centralized CAs and root certs are...
Trusting the server is not needed, so it creates unnecessary friction setting up a server, if you go to a domain you trust it. Or at least it should be optional?
Tox has this interesting side effect of being decentralized that you cannot run two clients at the same time with the same public key (could be fixed but not super easily) ...
What happens in gemini land when two browsers use the same client certificate on the same server at the same time?
Comment by IHeartBadCode at 17/01/2025 at 02:07 UTC
1 upvotes, 0 direct replies
if you go to a domain you trust it
It's not just that you trust the domain, it's that you can verify that what you are hearing from the domain is indeed from the person whom you trusted initially.
So you know that the data is not modified in any manner that the domain did not intend on it being modified in.
What happens in gemini land when two browsers use the same client certificate on the same server at the same time?
Depends on the logic of the server. In most cases the server will see the two clients as being the same person. Perhaps we are speaking about someone at some site both on their PC and mobile device.
In fact I can confirm that this is what happens because I can open Station on both my computer I'm typing this on and on my mobile device and the client certificate is the same between both. Station is indicating that it is indeed I on both devices.
And that makes sense, because all the client certificate does is ensure that the trusted person is indeed the person sending the traffic and that the traffic is indeed the traffic the trusted person sent.
For Tox it makes sense why each public key on the network needs to be unique. There's a point in being able to tell the difference between not only a person, but the hardware the person is using. If I call your tox client on your mobile device, I need that device to ring, not just any device that you happen to have.
A client certificate just ensures the identity of the traffic that's coming down the channel. You can make that identity a device, a person, a group, etc... It's up to whoever is implementing to define that aspect.
That's why reading the standard is important on each protocol. It is there to convey how things should be understood and to encourage a particular use-case of a protocol.