💾 Archived View for rawtext.club › ~sloum › geminilist › 006004.gmi captured on 2024-03-21 at 16:35:17. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

<-- back to the mailing list

Enhancing TOFU

Stephane Bortzmeyer stephane at sources.org

Mon Mar 8 12:23:11 GMT 2021

- - - - - - - - - - - - - - - - - - - 

On Fri, Mar 05, 2021 at 01:33:49PM +0100, nothien at uber.space <nothien at uber.space> wrote a message of 44 lines which said:

I propose an extension to this, which allows servers to announce

their intention (in a verifiable way) to change certificates in the

near future.

Gemini already has one way to announce this intention. To quote thespec, "If the certificate is not the one previously received, BUT THEPREVIOUS CERTIFICATE'S EXPIRY DATE HAS NOT PASSED, the user is shown awarning". So, to announce your intention to change the certificate,just say so in the expiration date (notAfter field).

Agunua <gemini://gemini.bortzmeyer.org/software/agunua/> does it in amore liberal way, accepting a change if there is less than 10 % of theformer certificate life remaining:

We accept a slack of 10 % of the certificate lifetime, or 7 days, whatever is smaller.slack = old_lifetime/10if datetime.timedelta(days=7) < old_lifetime/10: slack = datetime.timedelta(days=7)if self.keystring != old_key: if datetime.datetime.utcnow() >= (old_expiration - slack): pass # OK, it is expired or soon to be else: error = "Former public key at %s was %s, new one is %s. ...