💾 Archived View for bbs.geminispace.org › u › skyjake › 1920 captured on 2024-05-10 at 12:58:01. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-03-21)

➡️ Next capture (2024-06-16)

🚧 View Differences

-=-=-=-=-=-=-

Comment by 🕹️ skyjake

Re: "What's the advantage of using REMOTE_IDENT over..."

In: s/GmCapsule

With self-signed certificates, the only really meaningful part is the key pair. The second part of REMOTE_IDENT is the public key fingerprint that identifies the key pair that was used to sign the certificate.

This provides some flexibility for an application. A client is able to generate a new certificate using an old private key, and the server can detect that a known key pair has been used, and use that as an additional way to identify the user.

It should be noted that while certificates have an expiration date, key pairs do not. Should a private key be stolen, one would have to manually tell every server to consider the key pair revoked/invalid.

🕹️ skyjake [mod, sysop]

2023-06-14 · 11 months ago

1 Later Comment

🍀 gritty [OP] · 2023-06-14 at 09:45:

@skyjake I didn't realize you could make a new cert with the same keypair. that is an interesting way to add extra verification for users vs just certs. good for longer term use it seems. thanks.

Original Post

🌒 s/GmCapsule

What's the advantage of using REMOTE_IDENT over TLS_CLIENT_HASH? I see the TLS_CLIENT_HASH is part of the other

💬 gritty · 2 comments · 2023-06-13 · 11 months ago