💾 Archived View for rawtext.club › ~sloum › geminilist › 001816.gmi captured on 2020-09-24 at 01:37:33. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

<-- back to the mailing list

fingerprint art

mbays at sdf.org mbays at sdf.org

Sat Jun 20 12:59:00 BST 2020

- - - - - - - - - - - - - - - - - - - 

I'd like to suggest that, to supplement TOFU, we copy OpenSSH's trick of displaying a fingerprint as ASCII art. I just implemented this in my client diohsc; here's an example:

> g gemini.circumlunar.space
>
>
> gemini://gemini.circumlunar.spaceCertificate chain: DST Root CA X3 
>
>
> Let's Encrypt Authority X3 
>
>
> gemini.circumlunar.space    +-----[X509]------+           +-----[X509]------+    |   ..     .      |           |  ... .          |    |o .  .   . .     |           |   . o .         |    |+o  . o   o      |           |    o o          |    |+E   = . =       |           |   . . o         |    | .  + + ^ .      |           |  . . o ^        |    |   . + * o       |    
>
>
>    |   + + E         |    |    . o .        |           |  . @ .          |    |       .         |           |.o + *           |    |                 |           |B+..o            |    +----[SHA256]-----+           +----[SHA256]-----+Let's Encrypt Authority X     gemini.circumlunar.space    Expires 2021-03-17            Expires 2020-08-0125847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
>
>
> 2bba43d5886f92f4e3f1d0fc1d66d647c2b890965e8088f09d0345649bb5bd25No previous certificate seen for this host -- trusting provided certificate![press a key]```

The idea is that these pictures are much easier for humans to recognise than long hex strings. So even if you don't have the fingerprint you're expecting saved to disk, you might be familiar enough with its picture that you can recognise if it's changed.

This is using the "drunken bishop" algorithm used by OpenSSH; it's pretty straightforward, and described nicely here:http://www.dirk-loss.de/sshvis/drunken_bishop.pdf(I'm using this nice haskell implementation:https://hackage.haskell.org/package/drunken-bishop )

I think it might be nice if we had a cross-client convention to use these fingerprint pictures.-------------- next part --------------A non-text attachment was scrubbed...Name: signature.ascType: application/pgp-signatureSize: 195 bytesDesc: not availableURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200620/8004b10c/attachment.sig>