๐พ Archived View for geminispace.org โบ s โบ Bubble โบ 149 captured on 2023-05-24 at 18:03:40. Gemini links have been rewritten to link to archived content
โก๏ธ Next capture (2024-06-20)
-=-=-=-=-=-=-
After starting to use the Bubble site I have to say that using certificates for user accounts works really great, I have created a cert for Astrobotany initially and use that for other sites now as well and have that on 2 different computers and that saves me using a password manager for it
2023-05-15 ยท 9 days ago
Yeah, I'm also using the SHA-256 hash of the peer's DER-formatted certificate. From the CGI program's point of view, that is unique enough to serve as the user ID, and the TLS protocol ensures that only a peer who has the private key of the certificate can use it successfully.
In Bubble, I'm also keeping the SHA-256 hashes of the certificate public keys as a secondary form of identification. Currently they are not used, but a user could create a new certificate with the same private key, in which case the existing public key hash on the server would be enough to recognize and accept the new certificate even though the full certificate SHA-256 doesn't match.
@sirwilburthefirst I am usually using the SHA256 of the certificate, when running a CGI program, this value is directly available or when you program the TLS api, you can get the certificate and calculate the hash. E.g. I have made a response form CGI that just uses the cert hash as user identifier
โ gemini.lehmann.cx/cgi-bin/response.php
Question about that @skyjake, when you use the certificate as a key, what exactly are you using at the key? The private key text blob? I have a small project where I'm doing this but it feels a bit weird, like should I be md5 hashing the key and saving that?
Relying on TLS client certificates really is a great choice in the Gemini protocol. It's both more secure and more convenient than accounts with passwords, but one does have to be mindful of keeping the certificates and keys locally secure. I could be doing a better job with that in Lagrange... For example, on macOS one is supposed to keep sensitive information like this in the Keychain, but now the certificates are just plain old files in the file system, protected only by file system access rights.