💾 Archived View for rawtext.club › ~sloum › geminilist › 005768.gmi captured on 2024-02-05 at 11:07:14. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

[spec] Certificate trust

colecmac at protonmail.com colecmac at protonmail.com

Mon Mar 1 01:48:02 GMT 2021

- - - - - - - - - - - - - - - - - - - 
2) If 1 is invalid, let's (introduce something new here) check if
DNS doesn't have a TXT field with the certificate fingerprint and
see if it matches the current one, accept if OK

Unless your computer is using DoH or DoT (or DNSSEC?? Not sure) then your DNSlookup isn't secure either. If your adversary can sit in between your trafficand change a capsule's TLS certificate than I don't see why DNS would be verydifferent. Seems like this just adds complexity but without benefit.

makeworld