๐Ÿ’พ Archived View for gemi.dev โ€บ gemini-mailing-list โ€บ 000119.gmi captured on 2024-06-16 at 12:40:51. Gemini links have been rewritten to link to archived content

View Raw

More Information

โฌ…๏ธ Previous capture (2023-12-28)

-=-=-=-=-=-=-

Underspecified part in the Specification

1. Felix QueiรŸner (felix (a) masterq32.de)

Hey List and especially solderpunk!

I just started to read on the certificate stuff and looked at
Astrobotany [0] as an example application using client certificates.

Their process looks like this:
1. Generate private key
2. Generate a certificate request
3. Submit your CSR via HTTPS to astrobotany, they will then send you a
signed certificate
4. Use that certificate to authenticate at astrobotany

Now i wonder:
Is this the planned way everyone should go? What about self-signed
client certificates?

I would expect Gemini to use self-signed client certificates for
identitiy management, and even more for transient certificates.

The documentation on client certificates is mainly ?1.4.3 and the status
codes 61 and 62, but no word about how to obtain these client certificates.

I think this needs some clarification on how to handle this

Regards
xq

[0] gemini://astrobotany.mozz.us/

Link to individual message.

2. solderpunk (solderpunk (a) SDF.ORG)

Howdy,

Yes, massively, you are right.  I mentioned this in my recent gemlog
post on TLS, please see:
gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/tls-musings.gmi

This part of the spec needs tightening up, and since we actually have
real world implementations of an application using client certificates I
consider this a higher priority than some other stuff, which is only a
possible future concern yet.

I expect most of the major changes to come shortly after the spec
unfreeze will relate to client certificates.

I have been thinking about the matter and have coded up lots of client
certificate related stuff in AV-98 in the past week or so to demonstrate
concrete ideas about how we might want this to work.

Please be patient until this coming weekend when I'll do a release and
make some posts about this. :)

Cheers,
Solderpunk

On Tue, May 19, 2020 at 11:08:09PM +0200, Felix Quei?ner wrote:
> Hey List and especially solderpunk!
> 
> I just started to read on the certificate stuff and looked at
> Astrobotany [0] as an example application using client certificates.
> 
> Their process looks like this:
> 1. Generate private key
> 2. Generate a certificate request
> 3. Submit your CSR via HTTPS to astrobotany, they will then send you a
> signed certificate
> 4. Use that certificate to authenticate at astrobotany
> 
> Now i wonder:
> Is this the planned way everyone should go? What about self-signed
> client certificates?
> 
> I would expect Gemini to use self-signed client certificates for
> identitiy management, and even more for transient certificates.
> 
> The documentation on client certificates is mainly ?1.4.3 and the status
> codes 61 and 62, but no word about how to obtain these client certificates.
> 
> I think this needs some clarification on how to handle this
> 
> Regards
> xq
> 
> [0] gemini://astrobotany.mozz.us/

Link to individual message.

3. Felix QueiรŸner (felix (a) masterq32.de)

Hey,

> Yes, massively, you are right.  I mentioned this in my recent gemlog
> post on TLS, please see:
> gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/tls-musings.gmi
It might be that your server is currently unreachable, i can't connect
to port 1965 with IPv4 :(
> Please be patient until this coming weekend when I'll do a release and
> make some posts about this. :)
Okay, sure! I think i'll need the time to understand all of this anyways :D

Regards
xq

Link to individual message.

4. solderpunk (solderpunk (a) SDF.ORG)

On Tue, May 19, 2020 at 11:17:32PM +0200, Felix Quei?ner wrote:
> Hey,
> 
> > Yes, massively, you are right.  I mentioned this in my recent gemlog
> > post on TLS, please see:
> > gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/tls-musings.gmi
> It might be that your server is currently unreachable, i can't connect
> to port 1965 with IPv4 :(

Whoops, sorry, it literally *just* went down (I navigated to that post
to get the URL before sending the email).  Honestly, who wrote this
buggy thing?!

It's back up now.

Cheers,
Solderpunk

Link to individual message.

---

Previous Thread: Emacs mode for text/gemini?

Next Thread: A new kind of client torture test