💾 Archived View for rawtext.club › ~sloum › geminilist › 004746.gmi captured on 2023-09-28 at 17:27:17. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Petite Abeille petite.abeille at gmail.com
Tue Jan 5 23:40:25 GMT 2021
- - - - - - - - - - - - - - - - - - -
On Jan 5, 2021, at 21:17, Gary Johnson <lambdatronic at disroot.org> wrote:
1. What are the valid/invalid/recommended values for CN, SAN, and
expiration dates in certificates in the context of TOFU?
TOFU, as practiced by ssh & co., is about key exchange. One accepts a key, from a given host. There is no notion of "certificates", much less X.509 certificates, just a host+key pair.
Certificates should be entirely ignored as far as TOFU goes. And only viewed as a way to transfer the key. An envelope for the key, due to TLS.
Trying to merge the semantic of the X.509 certificates PKI and TOFU is not TOFU anymore. SEITAN perhaps. An entirely different construct for sure.
℀ ±𝟤¢