💾 Archived View for rawtext.club › ~sloum › geminilist › 001091.gmi captured on 2020-11-07 at 01:58:48. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
solderpunk solderpunk at SDF.ORG
Wed May 27 17:42:54 BST 2020
- - - - - - - - - - - - - - - - - - -
On Sun, May 24, 2020 at 11:22:48PM +0100, Martin Keegan wrote:
On Sat, 23 May 2020, solderpunk wrote:
I appreciate that under the current dispensation, the distribution of
certificates or certificate-signing-requests is out-of-band, but in my use
case, it's not clear to me how I'd go about implementing this. I'd
have thought something like:
C: connect to S, without presenting a client cert and request /path/file
S: 62 you need to present an authorised client cert; closes connection
C: reconnect to S, presenting appropriate client cert, request /path/file
S: 20 text/gemini [data follows]; closes connection
This is exactly the intended workflow, and is now supported somewhatsmoothly in AV-98. Here is an example session. For the sake of makingit clear what is happening, I have `set debug true` but deleted most ofthe debugging output, leaving only what is necessarily to make it clearwhat is happening here:
AV-98
go gemini://gemini.conman.org/conman-labs-private/[DEBUG] Response header: 62 Authorized Certicate Required.The site gemini.conman.org is requesting a client certificate.This will allow the site to recognise you across requests.What do you want to do?1. Give up.2. Generate new certificate and retry the request.3. Load previously generated certificate from file.4. Load certificate from file and retry the request.
2What do you want to name this new certificate?Answering `mycert` will create `~/.av98/certs/mycert.crt` and`~/.av98/certs/mycert.key`conmanGenerating a RSA private key..............+++++.........................................+++++writing new private key to '/home/solderpunk/.av98/client_certs/conman.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or aDN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:.State or Province Name (full name) [Some-State]:.Locality Name (eg, city) []:.Organization Name (eg, company) [Internet Widgits Pty Ltd]:.Organizational Unit Name (eg, section) []:.Common Name (e.g. server FQDN or YOUR name) []:Let me in!Email Address []:.[DEBUG] Sending gemini://gemini.conman.org/conman-labs-private/<CRLF>[DEBUG] Response header: 63 Certificate Not Accepted.The server did not accept your certificate.You may need to e.g. coordinate with the admin to get your certificatefingerprint whitelisted.What do you want to do?1. Give up.2. Generate new certificate and retry the request.3. Load previously generated certificate from file.4. Load certificate from file and retry the request.
1
However, it's my possibly mistaken understanding that an SSL client will not
present a cert to the server unless the server sends the CertificateRequest
message first. Since the server doesn't know whether the client is going to
ask for a restricted resource, it won't request a client cert. This seems to
lead to a chicken-and-egg problem: to get access to the resource, the client
must present its cert; to present the cert, the client must be asked to do
so by the server; but the server doesn't know it should ask for the
certificate before the client has said which resource it wants to access.
Hmm. Either you are mistaken, or you're correct but all the serversI've tested this against thus far (admittedly not many!) request aclient cert unconditionally and don't complain when one is not provided.If you're right, I guess we need to spec this behaviour as required.
Anyway, I think the ergonomics and patterns around how certificate signing
requests get moved around are going to be a bigger problem.
I have to admit that I don't see a lot of point in using CSRs in thiscontext. The whole point of a signed certificate is so that party A canprove to anybody who trusts party B that party B verified they arereally party A. The certificate is for the benefit of third parties.If you are running a Gemini server and you want to use client certificates torestrict access to certain people, there is no third party in thepicture. So why not just remember the fingerprint of certificates you'veverified as belong to people you want to grant access to? That way nobodyhas to send you a CSR and you don't have to send back a signed certificate.In a two-party scenario all that just seems like pointless busy work tome. Am I missing something?
Cheers,Solderpunk