💾 Archived View for gemi.dev › gemini-mailing-list › 000785.gmi captured on 2023-11-04 at 13:06:34. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Note: I'm not subscribed to this list, please use "reply-all" to make sure I get Cc'd on your reply. Hello! I have recently announced some upcoming changes to my Gemini software implementations with respect to TLS and TOFU: https://lists.sr.ht/~sircmpwn/gmni-discuss/%3CC9OP7IK9T9EP.15EOEOOS7QSB9%40taiga%3E I've also updated my older TOFU recommendations article to reflect the changes: gemini://drewdevault.com/2020/09/21/Gemini-TOFU.gmi In short, after listening to some feedback from the community on TOFU, I'd like to make the following updated suggestions: - Use long-lived certificates with the expiration set to the far future - Client software should disregard notBefore/notAfter dates, and the common name as well. Requiring strong algorithms and other technical constraints is fine. Any server software which wants to migrate to long-lived certificates should let their current certificates expire and then automatically issue a long-lived certificate to replace it when the time comes, rather than switching immediately and causing your clients to flag your cert as untrusted. To re-state one of my previous recommendations, which I still figure is a good idea: server software should handle certificate maintenance for the user. Making the sysadmin generate certificates is cumbersome and error prone, and because Gemini encourages TOFU and self-signed certificates, we can remove that burden from server operators entirely by generating certificates on-demand for the hosts we intend to service. Aside: it might be a good idea to have a non-authoratitive TLS best-practices document on gemini.circumlunar.space somewhere. I'd be happy to draft up such a document if this is desirable.
On 3/4/2021 8:43 AM, Drew DeVault wrote: > Note: I'm not subscribed to this list, please use "reply-all" to make > sure I get Cc'd on your reply. Um... no offense intended, but if you're not on the list, then why are you posting to the list? Honest question. > > To re-state one of my previous recommendations, which I still figure is > a good idea: server software should handle certificate maintenance for > the user. Making the sysadmin generate certificates is cumbersome and > error prone, No it's not. It happens every eighty something-ish days automatically. For the forseeable future, Vger will continue to use LetsEncrypt. Easy Peasy! I hope that helps :) Kindest regards, -- Bradley D. Thornton Manager Network Services http://NorthTech.US TEL: +1.310.421.8268
On 3/4/21 8:46 PM, Bradley D. Thornton wrote: > Um... no offense intended, but if you're not on the list, then why are > you posting to the list? > > Honest question. It looks like you only wrote to the list, so I'm assuming he won't get your reply. Although I have to say that I shared your sentiment, that it seems a little unfair someone wants to not be part of the group but tell the group things. (ie, "you listen to me, I don't listen to you") That being said, it's just one of many e-mails on the list, so we can overlook it. The information might be useful to someone. Ben -- gemini://kwiecien.us/
Re-sending, I forgot to Cc the list. Because I wasn't Cc'd on the reply. > Um... no offense intended, but if you're not on the list, then why are > you posting to the list? > > Honest question. It's quite common for someone to write to a mailing list without being subscribed to it. Please use reply-all if you have more to add. > No it's not. It happens every eighty something-ish days automatically. > > For the forseeable future, Vger will continue to use LetsEncrypt. Easy > Peasy! Suit yourself, but this is NOT easy! Installing extra software, running an HTTP server (or TLS-ALPN) for LE to query, running a cronjob (and keeping it running!)... there are a dozen places for error here and it requires a lot of manual setup. Just because you already did the work doesn't mean that it's easier! In Gemini, we have the privilege of skipping all of this entirely and having zero-configuration TLS. The server generates a certificate and it just works. This is much easier.
On 3/4/2021 9:25 AM, Ben wrote: > On 3/4/21 8:46 PM, Bradley D. Thornton wrote: >> Um... no offense intended, but if you're not on the list, then why are >> you posting to the list? >> >> Honest question. > > It looks like you only wrote to the list, so I'm assuming he won't get > your reply. Although I have to say that I shared your sentiment, that it > seems a little unfair someone wants to not be part of the group but tell > the group things. (ie, "you listen to me, I don't listen to you") Yes I did only reply to the list. That was not a mistake. I'm glad you noticed it :) In response to the way you put it, "Someone not wanting to be part of a group, yet speaking to that group, might not be deserving the courtesy of a response that ventures outside the confines of that group." Or something to that affect. I think you get my implication there. IOW, why would I show someone a courtesy they refuse to extend to me? Good catch there Ben :) -- Bradley D. Thornton Manager Network Services http://NorthTech.US TEL: +1.310.421.8268
> On Mar 4, 2021, at 18:36, Drew DeVault <sir at cmpwn.com> wrote: > > The server generates a certificate and it just works. This is much easier. True. Especially because no one verifies the resulting certificate at all. Easy-peasy indeed. Actually, one could not bother at all as there is no chain of trust to speak of. Even easier. What's the point? Honest question. What's the [threat|trust|usage] model? https://en.wikipedia.org/wiki/Threat_model ?0?
> True. Especially because no one verifies the resulting certificate at all. Easy-peasy indeed. > > Actually, one could not bother at all as there is no chain of trust to speak of. Even easier. > > What's the point? Honest question. > > What's the [threat|trust|usage] model? > > https://en.wikipedia.org/wiki/Threat_model https://en.wikipedia.org/wiki/Trust_on_first_use See also section 4.2 of the Gemini specification: gemini://gemini.circumlunar.space/docs/specification.gmi
On 3/4/2021 9:36 AM, Drew DeVault wrote: >> >> For the forseeable future, Vger will continue to use LetsEncrypt. Easy >> Peasy! > > Suit yourself, but this is NOT easy! I literally JUST said that it is easy. Easy Peasy, in fact ;) I hope that helps :) Kindest regards, -- Bradley D. Thornton Manager Network Services http://NorthTech.US TEL: +1.310.421.8268
> On Mar 4, 2021, at 18:45, Drew DeVault <sir at cmpwn.com> wrote: > > https://en.wikipedia.org/wiki/Trust_on_first_use > > See also section 4.2 of the Gemini specification: Gemini keeps on repeating 'tofu', 'tofu', 'tofu' ? like a talisman. And each and every client understand it differently ? if at all. To add insult to injury, it's purely optional. Optional! While TLS is mandatory! It's fantastic that servers generates certificates on the fly ? trivial things first. But then what? What's the operating model? Specifically. Consistently. Across the board. If each client-server pairs have their own view on how to handle TLS ? then Gemini has nothing at all. Just a giant mess. With mandatory TLS pain for everyone. I don't get it. So be it. ?0?
On 2021-03-04 18:36, Drew DeVault wrote: > Re-sending, I forgot to Cc the list. Because I wasn't Cc'd on the > reply. Your reply threads nicely within the other messages. Sorry to be curious, did you import the message from somewhere or is it enough to manually specify a specific header? > It's quite common for someone to write to a mailing list without being > subscribed to it. Taking part in the list is well possible via the web archive, and subscription is not necessary to post, either, cf. https://lists.orbitalfox.eu/listinfo/gemini Thanks to GMANE nntps might work with the list, too. > The server generates a certificate and it just works. Trying out gmnisrv just yesterday, I was quite happy that it generated the cert files for me. Thanks
> On Mar 4, 2021, at 18:52, Bradley D. Thornton <Bradley at NorthTech.US> wrote: > >>> For the forseeable future, Vger will continue to use LetsEncrypt. Easy >>> Peasy! >> >> Suit yourself, but this is NOT easy! > > I literally JUST said that it is easy. Easy Peasy, in fact ;) FWIW, I concur. Let's Encrypt is as streamlined and trivial as it gets. Not sure where the disconnect is. Oh well... ?0?
On Thu Mar 4, 2021 at 1:01 PM EST, wrote: > Your reply threads nicely within the other messages. Sorry to be > curious, did you import the message from somewhere or is it enough to > manually specify a specific header? The mailto link in the list archives (see the "From" header) includes an in-reply-to header which is able to handle threading. But it's pretty annoying to use this, which is why I asked to be Cc'd. > Trying out gmnisrv just yesterday, I was quite happy that it generated > the cert files for me. Cheers :)
I don't know what to tell you two. There are zero steps with using an auto-configured self-signed certificate. It requires no ongoing maintenance. There are 5 or 6 steps involved in using Let's Encrypt, and you have to top it up every 80 days. You're simply wrong. It's not easier, and that's a fact.
> On Mar 4, 2021, at 19:03, Drew DeVault <sir at cmpwn.com> wrote: > > which is why I asked to be Cc'd mwahahaha... seriously? so... on one hand you spit at the mailing list on irc... and on the other hand you *ask* for special treatment on it? nice. ?0?
> On Mar 4, 2021, at 19:04, Drew DeVault <sir at cmpwn.com> wrote: > > You're simply wrong. It's not easier, and that's a fact. You are right. ?0?
> mwahahaha... seriously? > > so... on one hand you spit at the mailing list on irc... and on the > other hand you *ask* for special treatment on it? No, I asked for a simple courtesey which is common on mailing lists everywhere. It should be quite plain to any observer of this thread why I felt it appropriate to bemoan this mailing list on IRC. Take a look in the mirror, bud. This thread demonstrates quite neatly why I'm not subscribed to the mailing list in the first place: because it's full of such esteemed posters as yourself.
On Thu Mar 4, 2021 at 1:10 PM EST, Drew DeVault wrote: > This thread demonstrates quite neatly why I'm not > subscribed to the mailing list in the first place: because it's full of > such esteemed posters as yourself. I don't mean to derail the focus of the conversation which is TOFU and TLS, but as a newbie to this mailing list, I have to agree with the quoted sentiment above. It seems there's a bit of vitriol to an "outsider" (Drew introduced me to gemini through his blog) who is trying to share his recommendations. I see nothing wrong with a non-subscriber sending an email to the list. It's easy to archive/trash/filter out the sender if you don't want to acknowledge their existence.
Hello Bradley, Bradley D. Thornton writes: > On 3/4/2021 8:43 AM, Drew DeVault wrote: >> Note: I'm not subscribed to this list, please use "reply-all" to make >> sure I get Cc'd on your reply. > > Um... no offense intended, but if you're not on the list, then why are > you posting to the list? > > Honest question. Honest answer for me. I'm subscribed to this list. But I did read it from the webarchive for quite some time. I had been subscribed to some high volume lists times ago. BUT I can't cope with that, so I consult the web archive of such lists and chime in if I need it. It is a matter of being nice to include someone, who asks for being CC:ed. It's their choice, not mine. Cheers, ~ew -- Keep it simple!
> On Mar 4, 2021, at 19:10, Drew DeVault <sir at cmpwn.com> wrote: > > Take a look in the mirror, bud. :) 21st century greatest metaphysician ?Yogi Berra? once said: You can observe a lot by watching. Have a great day ? bud. ?0?
> On Mar 4, 2021, at 20:25, ew.gemini <ew.gemini at nassur.net> wrote: > > It is a matter of being nice to include someone, who asks for being CC:ed. What about hypothetical statements such as "I f*cking hate the mailing list"? How would you rate such hypothetical? From naughty to nice ? to hypocritical? Nice for sure. > It's their choice, not mine. Q.E.D. As a practical reminder: https://en.wikipedia.org/wiki/Plonk_(Usenet) https://en.wikipedia.org/wiki/Kill_file Kumbaya to you. ?0?
It was thus said that the Great Petite Abeille once stated: > > > On Mar 4, 2021, at 20:25, ew.gemini <ew.gemini at nassur.net> wrote: > > > > It is a matter of being nice to include someone, who asks for being CC:ed. > > What about hypothetical statements such as "I f*cking hate the mailing list"? > > How would you rate such hypothetical? From naughty to nice ? to hypocritical? [ snip ] > Kumbaya to you. How about less trollish behavior with snarky commentary and more constructive conversation? Or is that too mature for you? If it's too mature, you can always forcibly unsubscribe you from the list (I know that won't stop you completely from signing up again under a different email address so don't bother saying that). -spc
> On Mar 4, 2021, at 22:30, Sean Conner <sean at conman.org> wrote: > > can always forcibly unsubscribe you from the list Just go ahead, Sean, unsubscribe and silence me. This will fit the spirit of this commune perfectly. Nicely done. ?0?
> On Mar 4, 2021, at 22:30, Sean Conner <sean at conman.org> wrote: > > unsubscribe you from the list Also, don't forget to ban me on gitlab. And erase all remains as well. You will make Solderpiunk's legacy proud. \Well done. ?0?
I usually refrain from getting involved in ML discussions. The reason is that I often don't have anything useful or good enough to contribute, and also I am aware the ML is very high-traffic and the last thing we need is more discussion. I have been on this mailing list for a long time, before it was ever this crowded or active. I remember getting just one message from in the span of a month, maybe longer. I'm not a big fan of moderation or exclusion. The first time I saw a message on the mailing list that I genuinely felt was bad and shouldn't have been sent (because it was too rude/direspectful or obnoxious), it was from Petite Abeille. I did not say anything, but it felt out of character for this list and this community. But hey, we are patient and tolerant, we can learn to get along, right? Petite Abeille, if you are genuinely interested in Gemini and wants to be part of the community, I would not like to see you banned. However, I would implore you to reconsider how you interact on the ML. I can't help but feel you played some part in people being driven out of the ML, though of course not the only part. As an additional matter to consider, in case some members of the mailing list are not aware (although most probably are), Petite Abeille is not a person's name, but it means "little bee" in French. I got the impression this name was chosen deliberately for trolling, to be anonymous and convey the message that this is a disruptive creature buzzing around and poking us with its stinger. Also, some people might not be aware, but this mailing list was not supposed to allow Gmail addresses, but a special exception was made for people interested in Gemini to be allowed to use it. It was thought this is for the benefit of the community. However, perhaps we've also unwittingly opened up the list to abuse by throw-away e-mail accounts? Just some things to consider. Ben -- gemini://kwiecien.us/
On 3/4/2021 10:04 AM, Drew DeVault wrote: > I don't know what to tell you two. There are zero steps with using an I'm sure I don't know what you mean by, "you two". I am but a single, individual person. Perhaps that was a typo, I'm not sure, but you're indeed conversing with a single person on my end. > > You're simply wrong. It's not easier, and that's a fact. > Okay, Point of correction here. Drew, I know you to be an otherwise upstanding person who prides himself in his capacity to provide service to the community for a greater good. But I stated what I stated, and that is not what I stated. Please do not put words in my mouth - especially since I never said, *easier*. I never implied that it was not also easy to use self-signed certs (and most servers I'm aware of will perform this automatically if you don't provide a certificate yourself). What I said is that it is easy (rather, Easy Peasy, I think) to use LetsEncrypt to handle all of that automatically. Trying to imply that I said something I NEVER said, which implies that I meant something else, is beneath you. Please refrain from such behavior in the future where it concerns me - a single, individual person. I'm not angry with you, I'll just chalk this up to you losing context because you are as passionate about Gemini space as many of us others are that have been involved with the project since the very beginning. I don't recall seeing any participation from you prior to about six months ago. Again, that's okay, and I think your intentions are grand - don't put words in my mouth though. Kindest regards, -- Bradley D. Thornton Manager Network Services http://NorthTech.US TEL: +1.310.421.8268
> On Mar 4, 2021, at 22:51, Ben <benulo at systemli.org> wrote: > > Petite Abeille is not a person's name, but it means "little bee" in French. Correct. Little Bee. Not Tiny Bee as some like to say. That would be Minuscule Abeille or such. Another creature altogether. > I got the impression this name was chosen deliberately for trolling, to be anonymous and convey the message that this is a disruptive creature buzzing around and poking us with its stinger. You impressions are yours. I personally like bees. https://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you%27re_a_dog If it's any consolations, this handle has been buzzing around since circa 2005 CE. Your house, your rules ?feel free to ban/unsubscribe/cancel me anytime you are in the mood. No hard feelings. ?0?
> I'm sure I don't know what you mean by, "you two". I am but a single, > individual person. Perhaps that was a typo, I'm not sure, but you're > indeed conversing with a single person on my end. Mailing lists are a multiplayer venue. This thread has two people, yourself one of them, who have expressed that Let's Encrypt is easy. You are not the person who said it was "easier" (emphasis on the "er"), and the person I directly replied to in the thread with my comments was someone who did. I suggest you review the archives if you're not receiving all of the emails in the thread. > Okay, Point of correction here. Drew, I know you to be an otherwise > upstanding person who prides himself in his capacity to provide service > to the community for a greater good. > > But I stated what I stated, and that is not what I stated. Please do not > put words in my mouth - especially since I never said, *easier*. > > I never implied that it was not also easy to use self-signed certs (and > most servers I'm aware of will perform this automatically if you don't > provide a certificate yourself). > > What I said is that it is easy (rather, Easy Peasy, I think) to use > LetsEncrypt to handle all of that automatically. > > Trying to imply that I said something I NEVER said, which implies that I > meant something else, is beneath you. Please refrain from such behavior > in the future where it concerns me - a single, individual person. > > I'm not angry with you, I'll just chalk this up to you losing context > because you are as passionate about Gemini space as many of us others > are that have been involved with the project since the very beginning. I > don't recall seeing any participation from you prior to about six months > ago. Again, that's okay, and I think your intentions are grand - don't > put words in my mouth though. It's evident that you only have half of the conversation, which is not my fault. I will note that you still refuse the basic courtesy of Cc'ing me on your replies. Not sure what moral high ground you seem to perceive yourself as coming from here.
On 3/4/2021 1:51 PM, Ben wrote: > > As an additional matter to consider, in case some members of the mailing > list are not aware (although most probably are), Petite Abeille is not a > person's name, but it means "little bee" in French. I got the impression > this name was chosen deliberately for trolling, to be anonymous and > convey the message that this is a disruptive creature buzzing around and > poking us with its stinger. Wow, Three years of French at UCSD and I didn't make that connection. I filtered that user a long time ago when it became apparent that I didn't find anything constructive coming from the account, for me personally. I typically do that with serial Top-Posters too, I find that even more annoying and detest having to continually scroll up/down/up/down just to figure out what's being conveyed. > > Also, some people might not be aware, but this mailing list was not > supposed to allow Gmail addresses, but a special exception was made for > people interested in Gemini to be allowed to use it. It was thought this > is for the benefit of the community. However, perhaps we've also > unwittingly opened up the list to abuse by throw-away e-mail accounts? > I didn't realize that DEAs were permitted now. I still block them from purchasing many services from me - Google is the great facilitator of legitimized Spam. Sean's deployment of tracking issues via Gitlab was a great idea to avoid noise while working, and effectively creates a WG (working group) that can focus on the matters at hand. Personally, I would have probably chosen tildegit, since many of the major contributors are homed in that community, or perhaps Codeberg, or even sr.ht (Yeah pls don't flame me for that - it's a good service), but Gitlab works and isn't GitHub so that's good. Thanks for that info Ben. -- Bradley D. Thornton Manager Network Services http://NorthTech.US TEL: +1.310.421.8268
> On Mar 4, 2021, at 23:13, Bradley D. Thornton <Bradley at NorthTech.US> wrote: > > I didn't realize that DEAs were permitted now. Dipl?me d'?tudes approfondies?! ?0?
On 2021-03-04 02:13PM, Bradley D. Thornton wrote: > Personally, I would have probably chosen tildegit, since many of the > major contributors are homed in that community, or perhaps Codeberg, > or even sr.ht (Yeah pls don't flame me for that - it's a good > service), but Gitlab works and isn't GitHub so that's good. The only issue with tildegit is that it's restricted to people that are in tildes. You can request an account (real people are the ones validating requests after all) but many people wouldn't want to sign up for a new service just to work on the Gemini spec. For instance, I don't have a gitlab account and therefore am not participating in those discussions because why would I make a whole new account for literally one thing. I do have a tildegit account which would make it better for me, but then you'd be putting lots of other people in my situation and cutting a lot of valuable contributors out. And yeah, github is a no-go for obvious reasons. I would vote for sourcehut because you don't need a sourcehut account to participate (same with this ML), while still keeping the discussion separate from this list, which, IMO, should be announcements of interesting software and new capsules and things like that, plus formal spec announcements. Oh yeah, learning to block users in your email server or email client is a valuable skill, particularly on this list unfortunately. ~nytpu -- Alex // nytpu alex at nytpu.com GPG Key: https://www.nytpu.com/files/pubkey.asc Key fingerprint: 43A5 890C EE85 EA1F 8C88 9492 ECCD C07B 337B 8F5B https://useplaintext.email/
> On Mar 4, 2021, at 23:04, Drew DeVault <sir at cmpwn.com> wrote: > > You are not the person who said it was "easier" (emphasis on the "er"), > and the person I directly replied to in the thread with my comments was > someone who did. Actually, the only handle who used "easier" in this entire thread is sir at cmpwn.com. SIR! On second reading... I take this back! :o) The Bee wrote: "Actually, one could not bother at all as there is no chain of trust to speak of. Even easier." But this was unrelated to Let's Encrypt vs. whatnot per se. Rather the larger question of TOFU. Pointless. Reading comprehension, always problematic. ?0?
On 3/4/2021 2:04 PM, Drew DeVault wrote: > > Mailing lists are a multiplayer venue. This thread has two people, > yourself one of them, who have expressed that Let's Encrypt is easy. > You are not the person who said it was "easier" (emphasis on the "er"), > and the person I directly replied to in the thread with my comments was > someone who did. I suggest you review the archives if you're not > receiving all of the emails in the thread. That was a fair enough request. Yes, the party to which you refer is an account that I filtered to /dev/null a long time ago. My bad. It appeared as if you were referring to me. You'll note I also cc'd you on this. It's my practice to set my MUAs to only "reply list", since that's where I'm conversing. I can't promise anything in the future, but I'll try, and a friendly reminder with each of your posts will help :) On another note, I would appreciate it if you would take a moment to ensure that your webproxy agent stays off my lawn at *.vger.cloud. I have no qualms about other types of agents, I just personally believe that people should use native Gemini and Gopher protocol clients (which includes browser plugins such as dillo-gemini, qute-gemini, OverbiteNX, and SSH kiosks) to browse Gemini and Gopher space. My reasons are my own, and I do not purport to speak on behalf of anyone else who manages Gemini services. Kindest regards, -- Bradley D. Thornton Manager Network Services http://NorthTech.US TEL: +1.310.421.8268
> On Mar 4, 2021, at 23:52, Bradley D. Thornton <Bradley at NorthTech.US> wrote: > > Yes, the party to which you refer is an account that I filtered to /dev/null a long time ago. My bad. It appeared as if you were referring to me. Priceless. ?0?
On Thu Mar 4, 2021 at 5:52 PM EST, Bradley D. Thornton wrote: > That was a fair enough request. Yes, the party to which you refer is an > account that I filtered to /dev/null a long time ago. My bad. It > appeared as if you were referring to me. No worries. > You'll note I also cc'd you on this. It's my practice to set my MUAs to > only "reply list", since that's where I'm conversing. I can't promise > anything in the future, but I'll try, and a friendly reminder with each > of your posts will help :) Thank you. Reply all is a safe bet on all mailing lists, I recommend using it by default to make sure you include everyone in the thread. > On another note, I would appreciate it if you would take a moment to > ensure that your webproxy agent stays off my lawn at *.vger.cloud. I > have no qualms about other types of agents, I just personally believe > that people should use native Gemini and Gopher protocol clients (which > includes browser plugins such as dillo-gemini, qute-gemini, OverbiteNX, > and SSH kiosks) to browse Gemini and Gopher space. My proxy's IP address is 173.195.146.137, I leave the rest up to you. It's my proxy's responsibility to dutifully perform the requests the user asks of it, and it's your responsibility to curtail whatever kinds of traffic you don't want to access your server. I do not support discrimination against user agents, because that's discrimination against users.* For what it's worth, my proxy only serves my domain and serves external content only if the user follows links from my domain to a third party. It's not useful as a general purpose web portal to geminispace.
On Thu, Mar 4, 2021 at 9:51 PM Ben <benulo at systemli.org> wrote: > (...) > As an additional matter to consider, in case some members of the mailing > list are not aware (although most probably are), Petite Abeille is not a > person's name, but it means "little bee" in French. I got the impression > this name was chosen deliberately for trolling, to be anonymous and > convey the message that this is a disruptive creature buzzing around and > poking us with its stinger. A trollish name could be "little wasp". Bees are industrious and useful insects (honey, pollination). The wasp sting is also more frequent and more painful than bee sting. ...so, "Petite Abeille" sounds more positive to me :-)
> On Mar 5, 2021, at 00:01, Phil Leblanc <philanc at gmail.com> wrote: > > so, "Petite Abeille" sounds more positive to me :-) An apiculturists commune this is not. ?0?
On Thu, Mar 4, 2021 at 11:05 PM Petite Abeille <petite.abeille at gmail.com> wrote: > > > so, "Petite Abeille" sounds more positive to me :-) > > An apiculturists commune this is not. Right. What an amazing thread... Anyway, thanks to Drew DeVault for his TOFU/TLS recommendations. I am not sure any of the 36+ following replies related to it - but I may have missed some :-)
> On Mar 5, 2021, at 00:13, Phil Leblanc <philanc at gmail.com> wrote: > > On Thu, Mar 4, 2021 at 11:05 PM Petite Abeille <petite.abeille at gmail.com> wrote: >> >>> so, "Petite Abeille" sounds more positive to me :-) >> >> An apiculturists commune this is not. > > Right. What an amazing thread... You are not saying :P > Anyway, thanks to Drew DeVault for his TOFU/TLS recommendations. I am > not sure any of the 36+ following replies related to it - but I may > have missed some :-) Not really, no. Mostly pests control. Go figure. That said, I still don't get the TOFU usage model in the context of Gemini... not that I necessarily need to understand it to have a good night sleep, but still... out of curiosity... In ssh, I know the host, therefore I trust the key. Plus, this happens only every blue moon. No brainer. Not so in the wild-wild Gemini space. Infinite number of esoteric, fly-by-night operators. All harmless for sure, but still. What's the trust model, if any? Or is it more like Trust-And-Pray (TAP)? In which case, why bother? Just ignore all certificates and be merry. This is what a Little Bee impersonator had to say on GitLab: Trust on first use (TOFU) is akin to unprotected intercourse: you must trust your partner to keep Gonorrhea at bay. No trust, no use. https://gitlab.com/gemini-specification/protocol/-/issues/5#note_522445814 It was not well received, needless to say. That much is clear. ?0?
> On Mar 5, 2021, at 00:00, Drew DeVault <sir at cmpwn.com> wrote: > > Reply all is a safe bet on all mailing lists, I recommend using it by > default to make sure you include everyone in the thread. Aha :) Email storm https://en.wikipedia.org/wiki/Email_storm "He replied all." https://twitter.com/newyorker/status/642102577086263297 ?0?
It was thus said that the Great Bradley D. Thornton once stated: > > Sean's deployment of tracking issues via Gitlab was a great idea to > avoid noise while working, and effectively creates a WG (working group) > that can focus on the matters at hand. It wasn't my idea, but a suggestion from Stephane Bortzmeyer, who also suggested gitlab. I went ahead and created an account (just for this) and set up the issue tracker. > Personally, I would have probably chosen tildegit, since many of the > major contributors are homed in that community, or perhaps Codeberg, or > even sr.ht (Yeah pls don't flame me for that - it's a good service), but > Gitlab works and isn't GitHub so that's good. I was not aware of the alternatives when I created the issue tracker. -spc
On Thu, 04 Mar 2021 11:43:49 -0500 "Drew DeVault" <sir at cmpwn.com> wrote: > - Use long-lived certificates with the expiration set to the far future That makes perfect sense for TOFU. If for whatever reason you need to renew a certificate (e.g. to use stronger encryption) you can just swap it out. The clients will (hopefully) learn of the change and can choose whether to trust the new certificate. > - Client software should disregard notBefore/notAfter dates, and the > common name as well. Requiring strong algorithms and other technical > constraints is fine. What is the motivation for ignoring CN? > Any server software which wants to migrate to long-lived certificates > should let their current certificates expire and then automatically > issue a long-lived certificate to replace it when the time comes, rather > than switching immediately and causing your clients to flag your cert as > untrusted. Without a chain of trust, and ignoring notBefore/notAfter, there's no point in waiting. The client (according to the procedure you describe in your article) will find the old cert in known_hosts in step 2., see that the served certificate differs and consider the new certificate UNTRUSTED. That is true regardless of whether you immediately replace the certificate or wait until the old one has expired, unless the client *doen't* ignore notBefore/notAfter and uses those dates to vacuum known_hosts to remove expired certificates automatically (which is impossible given the store format you currently recommend). The procedure you describe does not provide for any other way to roll out new certificates than for the new one to be UNTRUSTED, nor do I think clients are able to provide this in general outside the use of certificate authorities or validity date based vacuuming of known_hosts. That's really how it has to be for TOFU: whenever a new certificate is used, a new trust has to be established. *Any* certificate that you haven't used is untrusted. IMO, UNKNOWN is really the same thing as UNTRUSTED. There is no UNKNOWN state; either I've asserted my trust in the certificate or I haven't. UNKNOWN and UNTRUSTED are just different cases of untrusted certificates, with latter giving you an additional piece of information: that you have already trusted a different certificate for the given host. I think it's better for clients if they are treated as such. In my client, the user gets a choice whenever they encounter a new certificate. If the trust store happens to contain a different certificate for the host, that information will be displayed to the user as well, so that they can use it as a basis for the decision whether to trust the new certificate. Manually editing known_hosts is just that, "with extra steps". > To re-state one of my previous recommendations, which I still figure is > a good idea: server software should handle certificate maintenance for > the user. Making the sysadmin generate certificates is cumbersome and > error prone, and because Gemini encourages TOFU and self-signed > certificates, we can remove that burden from server operators entirely > by generating certificates on-demand for the hosts we intend to service. Agreed. > Aside: it might be a good idea to have a non-authoratitive TLS > best-practices document on gemini.circumlunar.space somewhere. I'd be > happy to draft up such a document if this is desirable. Agreed. I think your article is a good starting point, but consider my criticism above. -- Philip
> On Mar 5, 2021, at 13:13, Philip Linde <linde.philip at gmail.com> wrote: > > In my client, the user gets a choice whenever they encounter a new > certificate. "Warning fatigue has pushed many messaging applications to remove blocking warnings to prevent users from reverting to less secure applications that do not feature end-to-end encryption in the first place." https://en.wikipedia.org/wiki/Trust_on_first_use#Model_strengths_and_weaknesses https://en.wikipedia.org/wiki/Alarm_fatigue This doesn't scale. Could as well accept everything. Or ignore everything. Same effect. ?0?
On 2021-03-05 , Philip Linde wrote: > What is the motivation for ignoring CN? What is the motivation for using it? In a TOFU system the only real information that matters is the public key. > The client (according to the procedure you describe in your article) > will find the old cert in known_hosts in step 2., see that the served > certificate differs and consider the new certificate UNTRUSTED. That is > true regardless of whether you immediately replace the certificate or > wait until the old one has expired, unless the client *doen't* ignore > notBefore/notAfter and uses those dates to vacuum known_hosts to remove > expired certificates automatically (which is impossible given the store > format you currently recommend). The format I previously recommended stored the expiration date, and other clients might as well. Waiting to rotate is the most conservative choice which maximizes your compatibility with the most clients regardless of their adherence to these best practices. > Agreed. I think your article is a good starting point, but consider my > criticism above. I think your criticism only applies in a transitive sense, while the community is moving from one procedure to another, and should have little influence on any kind of proposed standard or guidelines.
On 3/5/21 2:31 AM, Phil Leblanc wrote: > A trollish name could be "little wasp". Bees are industrious and > useful insects (honey, pollination). The wasp sting is also more > frequent and more painful than bee sting. ...so, "Petite Abeille" > sounds more positive to me:-) Of course, you are right. It could very well be something positive too! -- gemini://kwiecien.us/
On 3/5/21 1:32 AM, Petite Abeille wrote: > Your house, your rules ?feel free to ban/unsubscribe/cancel me anytime you are in the mood. > > No hard feelings. I appreciate what was constructive about your response, but this last part presents a practical problem. When I wrote to you I asked you to make a sincere effort to take the mailing list more seriously. "feel free to ban me" comes across as a negative response. So if I read you correctly, when asked not to be disruptive to the community, you said "no"? Ben -- gemini://kwiecien.us/
> On Mar 5, 2021, at 18:02, Ben <benulo at systemli.org> wrote: > > So if I read you correctly, when asked not to be disruptive to the community, you said "no"? It's all in the eye of the beholder. For you to decide. The Little Bee cannot control your emotions. Nor should it. ?0?
On Thu, 2021-03-04, Drew DeVault wrote: >Hello! I have recently announced some upcoming changes to my Gemini >software implementations with respect to TLS and TOFU: > >https://lists.sr.ht/~sircmpwn/gmni-discuss/%3CC9OP7IK9T9EP.15EOEOOS7QSB9%40taiga%3E > >I've also updated my older TOFU recommendations article to reflect the >changes: > >gemini://drewdevault.com/2020/09/21/Gemini-TOFU.gmi A few observations: 1. Not storing the port means that the client can't adequately support different certs being served on different ports. You can test with: wikipedia.geminet.org wikipedia.geminet.org:1966 2. Not storing the expiration timestamp means that the client can't issue a less scary warning when it receives a new cert after the old one expired (or when it's about to expire). Solderpunk argued in favor of clients using expiration dates, for ex: https://lists.orbitalfox.eu/archives/gemini/2020/002101.html > I guess I see the main utility of explicit expiration dates in this > context as being a kind of promise from the sever admin that "I have no > plans to do a key rotation for about this length of time". This means > that apparent MITM attacks happening at a time when there's a lot of > validity left can be treated with much higher suspicion. 3. A cert can be renewed without changing its public key, so storing a hash of the SPKI (SubjectPublicKeyInfo) instead of the entire certificate means potentially less unnecessary warning messages for users. Here's the OpenSSL command to extract the SHA512 hash of the DER-encoded SPKI: openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha512 -binary | openssl enc -base64 -A I used base64 at the end to get a shorter string. And here's the command one would use to renew a cert without changing keys: openssl req -new -x509 -key private_key.pem -out new_cert.pem -subj "/CN=example.com" -days 36500 It generates a certificate valid for 100 years using the old key. Amfora uses the SPKI, so it wouldn't raise a warning about this new cert.
---