💾 Archived View for gem.benscraft.info › mailing-list › messages › 179 captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

Re: [spec] The updated speculative specification is now up

- Benjamin Cronin <bcronin720 at gmail.com>

@ Thu, 08 Apr 2021 22:05 -0400

Full Thread

Reply to text at sdfeu.org

────────────────────────────────────────────────────────────────────────────────

Perhaps it could mention something about published vulnerabilities or

crackability with consumer hardware, as a response to the [by whom?] that

nervuri mentions here.

I think library support is also important to make sure that any

implementations are done well and that people aren't trying to rush a

standard without proper support, leading to more bugs and opportunities for

malicious attacks.

- Entflammen

On Thu, Apr 8, 2021 at 4:00 PM <text@sdfeu.org> wrote:

On Thu, 08 Apr 2021 16:59:31 +0000, nervuri wrote:

> On Wed, 2021-04-07, Sean Conner wrote:

>> Also, stats [1] show that some 21% of Gemini sites still use TLS 1.2.

>> Personally, I think that once this falls below 5% (or greater than 95%

>> of all sites support TLS 1.3) we can revisit this decision.

>

> Also, if the actual blocker is the percentage of servers and clients

> supporting TLS 1.3, then that's what the specification should say,

> rather than referring to libraries. It can be vague, like:

>

> TLS 1.2 is reluctantly permitted until TLS 1.3 support is more

> widespread among Gemini servers and clients.

> The minimum required TLS version is 1.2,

> but clients who wish to be "ahead of the curve" MAY

> refuse to connect to servers using TLS version 1.2.

Could we even formulate without specifying version numbers, not knowing

which version Gemini should be using in like a decade? Somewhat along:

Servers and clients must use TLS. The current (stable) TLS version should

be supported; the next lower version may be supported as long as

a) this lower version is not [commonly] considered insecure [by whom?]

and

b) the majority of [common] TLS libraries do not [yet] support the

current TLS version in the libraries' stable versions.

Not too sure about a) and the "common" parts, though.

Thx

════════════════════════════════════════════════════════════════════════════════