💾 Archived View for rawtext.club › ~sloum › geminilist › 004800.gmi captured on 2023-09-28 at 17:26:04. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

[spec] Oustanding issues

nervuri nervuri at disroot.org

Sun Jan 10 12:54:34 GMT 2021

- - - - - - - - - - - - - - - - - - - 

Two privacy-related suggestions:

Only send client certificates over TLS 1.3

TLS 1.3 encrypts client certs, TLS 1.2 doesn't. On 1.2 your ISP might see the user you log in as, your e-mail address and whatever other information you (are required to) put in the cert. Please consider only allowing client certificates over TLS 1.3 (and newer).

No OCSP requests

The spec says:

Clients can validate TLS connections however they like

As long as CA-based validation is allowed in Gemini, consider adding an exception along the lines of "Thou shalt not make OCSP requests", as they are notoriously bad for privacy, add latency and are easy to block by attackers.