💾 Archived View for rawtext.club › ~sloum › geminilist › 005955.gmi captured on 2024-03-21 at 16:35:50. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

Updated recommendations regarding TOFU & TLS

Drew DeVault sir at cmpwn.com

Fri Mar 5 12:46:49 GMT 2021

- - - - - - - - - - - - - - - - - - - 

On 2021-03-05 , Philip Linde wrote:

What is the motivation for ignoring CN?

What is the motivation for using it? In a TOFU system the only realinformation that matters is the public key.

The client (according to the procedure you describe in your article)
will find the old cert in known_hosts in step 2., see that the served
certificate differs and consider the new certificate UNTRUSTED. That is
true regardless of whether you immediately replace the certificate or
wait until the old one has expired, unless the client *doen't* ignore
notBefore/notAfter and uses those dates to vacuum known_hosts to remove
expired certificates automatically (which is impossible given the store
format you currently recommend).

The format I previously recommended stored the expiration date, andother clients might as well. Waiting to rotate is the most conservativechoice which maximizes your compatibility with the most clientsregardless of their adherence to these best practices.

Agreed. I think your article is a good starting point, but consider my
criticism above.

I think your criticism only applies in a transitive sense, while thecommunity is moving from one procedure to another, and should havelittle influence on any kind of proposed standard or guidelines.