💾 Archived View for rawtext.club › ~sloum › geminilist › 005799.gmi captured on 2023-11-14 at 09:51:09. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

[spec] Certificate trust

Côme Chilliet come at chilliet.eu

Mon Mar 1 10:44:06 GMT 2021

- - - - - - - - - - - - - - - - - - - 

Le lundi 1 mars 2021, 10:42:15 CET cas a écrit :

No need to do manual/extra DNS queries to verify certificates via DANE.
GnuTLS has DANE validation build in
<https://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE.html>
and OpenSSL has that as well
<https://www.openssl.org/docs/man1.1.0/man3/SSL_dane_enable.html>

This is great news, but on an other subthread Stephane said:

This is certainly the best solution, technically
speaking. Unfortunately, adding DANE support to your Gemini client
typically requires some effort, the existing libraries are typically
not sufficient. (Full disclosure: I did not even add DANE support to
my own Gemini client, despites the fact I'm strongly pro-DANE.)

Who is right?

I would feel really comfortable building on a existing bloc like DANE as this way there is a lot more chance to see libraries supporting it than if we use something Gemini-specific.

Côme