💾 Archived View for rawtext.club › ~sloum › geminilist › 004808.gmi captured on 2023-09-08 at 17:35:53. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
easrng easrng at gmail.com
Mon Jan 11 19:47:40 GMT 2021
- - - - - - - - - - - - - - - - - - -
The interaction between TOFU and X.509, if any, must be thought through clearly.I'm not writing a client right now, but if I was, I think I wouldhandle certs a few different ways. First, if it was tunneled over aprotocol that is already encrypted (ex. Tor), I'd accept anycertificate, because TLS would be redundant, even though the specrequires it. If the certificate was valid and trusted by the CAsinstalled, I would also accept it, even if that means overwriting anearlier TOFU entry. Otherwise, I would handle them like SSH handleskeys, by asking the user on the first connection if the certificate istrusted. Hopefully blockchain-based naming systems will make certvalidation easy some day, as you could just check if the cert matchesthe signature in the blockchain of the person who owns the domain.