💾 Archived View for rawtext.club › ~sloum › geminilist › 000631.gmi captured on 2020-09-24 at 02:26:12. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Dave Huseby dwh at vi.rs
Thu May 14 21:27:55 BST 2020
- - - - - - - - - - - - - - - - - - - ``` This is a great reply. I never troll, I was just trying humor to dissuade Sean but he didn't catch the hint and doubled down. I have no patience for people who cannot be bothered to be neighborly. I've been around in open source long enough to know that trolls like Sean are like graffiti. If you tolerate them, the trolling only gets worse and eventually leads to ruining the neighborhood. I want to point out that the *only* reason I'm using Gemini at all is because it respects the sovereignty of users more than the web. You guys are going to get tired of me talking about it. Gemini is no where near fully user sovereign though. Frankly the software and research I'm doing doesn't really need something like Gemini. It was my mistake to mix up the ideas of what I'm publishing on my Gemini space with Gemini. My only real criticism for Gemini is that it relies on TLS. I personally believe that all communications should be encrypted by default. Gemini insisting on encryption is good but going with TLS is bad when there are much better choices such as CurveCP. I don't trust TLS because of this: = > https://arstechnica.com/information-technology/2013/01/turkish-government-agency-spoofed-google-certificate-accidentally/ I know, I know, but what about OCSP stapling and the global issuance observatory that were created to address this? The fact that the CA system is centralized and top-down combined with the fact that applications just blindly trust the root certs in the file that Mozilla puts on all of our computers leaves too many attack vectors for me to trust it over the long term. Gemini allows for self-signed certs, if you're going that far, why not use a better sign-after-encrypt protocol that actually increases security. CurveCP is much simpler that TLS at all levels. Why shouldn't Gemini avoid relying on centralized solutions such as TLS and the CA system? If the stated goal of Gemini is to be better than the web, why make the same mistakes as the web? If the stated goal is to just keep the code simple, fine, but why TLS then, CurveCP is simpler? What is are the goals of Gemini? Cheers!Dave