💾 Archived View for bbs.geminispace.org › u › clseibold › 5262 captured on 2023-11-14 at 09:50:27. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
Re: "Gemini: Update User Certificate"
@skyjake Oh! I didn't realize Bubble had time limit on the password! I think other services don't have this. I'm glad you did it like this, because it feels way more secure.
Sep 12 · 2 months ago
Thinking about it, here's an even simpler approach: while a user is logged in (identified by one cert), show a link of the form "/addcert?$UID+$TOKEN" where UID is the key in the server's user database and TOKEN is e.g. sha256(UID+SECRET) where SECRET is a server secret. Then if that link is followed with a new certificate, the server can consider the new cert to belong to UID. Problem: copy+paste or having a shoulder-surfer could leak the token. Partial solution: make the token time-limited.
Thank you so much, this was an interesting discussion. I would personally prefer the solution with the signature chain (sign the new certificate with the old one). Also thanks for telling me how the certificate update works on BBS. For some reason, I failed on the first attempt (yes, it works).
@skyjake: Yes, please, add that text snippet to the Help page.
Gemini: Update User Certificate — Gemini uses certificates for login authentication. There are many valid reasons to change/update certificates. Certificates expire. Algorithms become outdated, keys too short. One might move from a global certificate to one per service (or the other way around). Change the user name and more. Yet, the protocol provides no way to update a certificate. I tested a certificate update both with Astrobotany and with the BBS and failed. Does anyone know of an...