💾 Archived View for bbs.geminispace.org › u › karel › 5256 captured on 2024-02-05 at 14:33:31. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-12-28)
-=-=-=-=-=-=-
Re: "Gemini: Update User Certificate"
Exactly that: update=replace. I read the documentation, but failed to execute the recipe in practice. How can you "add" a second certificate? The browser can only present a single cert at a time (no "adding"). There is no upload feature (Gemini does not support uploads). Maybe an explanation on how this is realized could help me understand the specific mechanisms of these sites. Thanks.
2023-09-12 · 5 months ago
In principle, a general solution would be to sign a new certificate with the old one, then the server could automatically consider the new certificate to identify the same user the old one did. That seems much neater to me than the password-mediated approach. However, to my knowledge no existing server passes enough certificate information to (s)CGI scripts to implement this.
🚀 skyjake [mod...] · Sep 12 at 18:14:
I really should add something about this to the Help page...
Briefly, on BBS:
Now both certificates are linked to your account. You can then remove the old one(s) if you want on the same Certificate Settings page.
When it comes to signing with the old certificate, as @clseibold says, clients would need to automate this for it to be a feasible method. Otherwise it's too difficult to do for the average user.
Thinking about it, here's an even simpler approach: while a user is logged in (identified by one cert), show a link of the form "/addcert?$UID+$TOKEN" where UID is the key in the server's user database and TOKEN is e.g. sha256(UID+SECRET) where SECRET is a server secret. Then if that link is followed with a new certificate, the server can consider the new cert to belong to UID. Problem: copy+paste or having a shoulder-surfer could leak the token. Partial solution: make the token time-limited.
🦋 karel [OP] · Sep 12 at 20:27:
Thank you so much, this was an interesting discussion. I would personally prefer the solution with the signature chain (sign the new certificate with the old one). Also thanks for telling me how the certificate update works on BBS. For some reason, I failed on the first attempt (yes, it works).
🦋 karel [OP] · Sep 15 at 06:47:
@skyjake: Yes, please, add that text snippet to the Help page.
Gemini: Update User Certificate — Gemini uses certificates for login authentication. There are many valid reasons to change/update certificates. Certificates expire. Algorithms become outdated, keys too short. One might move from a global certificate to one per service (or the other way around). Change the user name and more. Yet, the protocol provides no way to update a certificate. I tested a certificate update both with Astrobotany and with the BBS and failed. Does anyone know of an...