💾 Archived View for gemini.thegonz.net › glog › 200607-clientCertificatePostMortem.gmi captured on 2024-06-16 at 12:35:55. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2020-09-24)

-=-=-=-=-=-=-

Client certificates in diohsc

I just finished adding client certificate support to my line-based textual gemini client diohsc. This involved making some non-trivial choices, and I didn't copy av98 in all cases, so I hope discussing the decisions I made and the reasoning behind them could be of use to other client developers and in refining the spec.

User interface

Creating identities

Using identities

Controlling identities

Certificates

Fingerprinting

Currently, these choices identify diohsc uniquely. Hopefully a future version of the spec will suggest defaults to prevent such fingerprinting, and I think these would be reasonable choices. But it could be worth considering mandating Ed25519, even if this means only TLS1.3 servers can use client certificates. This can be considered an "advanced" feature for a server, so it isn't so much of a problem if some servers aren't capable of it.

Libraries

I used Vincent Hanquez's excellent pure-haskell cryptography libraries to create and use client certificates. Neither openssl nor gnu-tls are involved at all.