💾 Archived View for gemi.dev › gemini-mailing-list › 000965.gmi captured on 2024-05-26 at 17:03:05. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

[tech] Can I use existing ssh keys for gemini identity?

1. Chris McGee (newton688 (a) gmail.com)

Hi All,

Does anyone know of a way to use my ssh RSA key-pairs as my identity for
Gemini?

Thanks,
Chris

Link to individual message.

2. Gary Johnson (lambdatronic (a) disroot.org)

Chris McGee <newton688@gmail.com> writes:

> Does anyone know of a way to use my ssh RSA key-pairs as my identity for
> Gemini?

Hi Chris,

  Any Gemini capsule may choose to prompt your browser for a client
certificate. These can often be provided as either temporary or
permanent certs if your browser supports this feature. While many
browsers will auto-generate certs for you on the fly if requested, you
can also usually provide your own on a capsule by capsule basis.

If you want to use an existing certificate on your machine for one or
more Gemini capsules, you are free to do so. Just add them to your
browser's certificate collection.

Unfortunately, an SSH RSA key-pair isn't an X.509 SSL certificate, which
is what you need to give your Gemini browser. SSH produces/uses a public
key file and a private key file. For Gemini, you'll need a certificate
file (which contains the public key plus some ownership and signing
metadata) as well as a private key file.

I hope that helps.

Happy hacking,
  Gary

-- 
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Link to individual message.

3. Matthew Graybosch (contact (a) starbreaker.org)

On Fri, Jul 9, 2021, at 9:30 AM, Chris McGee wrote:
> Hi All,
> 
> Does anyone know of a way to use my ssh RSA key-pairs as my identity for Gemini?

I don't think that's in the spec. It's all about TLS.

-- 
Matthew Graybosch
gemini://starbreaker.org
"The lies you tell yourself are the lies that define you."
#include <disclaimer.h>

Link to individual message.

4. Chris McGee (newton688 (a) gmail.com)

On Fri, Jul 9, 2021 at 11:46 AM Matthew Graybosch <contact@starbreaker.org>
wrote:

>
> > Does anyone know of a way to use my ssh RSA key-pairs as my identity for
> Gemini?
>
> I don't think that's in the spec. It's all about TLS.
>
>
I know that I'm relatively new to Gemini. I'm wondering if there were
reasons why SSH wasn't chosen as the transport for Gemini, like git? SSH
doesn't have the certificate expiry issue, for example.

Link to individual message.

5. Stephane Bortzmeyer (stephane (a) sources.org)

On Fri, Jul 09, 2021 at 11:59:35AM -0400,
 Chris McGee <newton688@gmail.com> wrote 
 a message of 40 lines which said:

> I'm wondering if there were reasons why SSH wasn't chosen as the
> transport for Gemini, like git? SSH doesn't have the certificate
> expiry issue, for example.

[Warning: I'm not Solderpunk but I try to impersonate him.]

The expiration is not really an issue since you can always create
certificates with ridiculous durations (20 years...).

Otherwise, the big problem with SSH is there are much less available
libraries, compared to TLS.

Link to individual message.

6. Chris McGee (newton688 (a) gmail.com)

On Fri, Jul 9, 2021 at 2:43 PM Stephane Bortzmeyer <stephane@sources.org>
wrote:

> Otherwise, the big problem with SSH is there are much less available
> libraries, compared to TLS.
>

I think the picture may have changed a bit in the last few years. There
appears to be mature libraries available for C (libssh), Java (JSCH), Go
(x/crypto/ssh) and Python, probably many others.

It would be nice to re-use my identities and trusts that I use for ssh, git
and gerrit for gemini (and other protocols too) with my own per-host
configurations. Another interesting side effect of using ssh as the
transport is that you could use ssh to script interactions with a gemini
server because the protocol is so simple, no need to implement gemini
versions of curl to do that. Similarly, setting up a gemini server could be
as simple as setting up ssh with a shell script to follow the protocol and
echo out the page for a given URI.

Link to individual message.

7. Robert "khuxkm" Miles (khuxkm (a) tilde.team)

July 9, 2021 9:30 AM, "Chris McGee" <newton688@gmail.com> wrote:

> Hi All,
> 
> Does anyone know of a way to use my ssh RSA key-pairs as my identity for Gemini?

As everyone else has said, Gemini uses TLS and not SSH. However, nobody 
seems to have mentioned you
could just sign a TLS certificate with your private key? You would simply 
use a command like the
following:

openssl req -x509 -sha256 -days 3650 -key privkey.pem -out mycert.crt

That would generate a certificate with your existing private key.

Just my two cents,
Robert "khuxkm" Miles

Link to individual message.

---

Previous Thread: how to submit multi-line long form text to gemini?

Next Thread: Re: Gemini Digest, Vol 24, Issue 12