💾 Archived View for bbs.geminispace.org › u › kebokyo › 18364 captured on 2024-08-19 at 00:54:33. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-07-09)
-=-=-=-=-=-=-
Just found out this was a thing. I am very curious about the whole "client identity" system... can self-signed certificates be trusted? Wonder if there's a way to sign a certificate on, say, my VPS, and use that certificate to verify my identity. I really want to nerd out about this lol
Jul 06 · 6 weeks ago
It’s trusted as a first appearance.
The first time you meet someone/some site it is stored as what this should look like. If it ever changes, that’s where you throw a warning.
🕹️ skyjake [...] · Jul 07 at 04:16:
can self-signed [client] certificates be trusted?
Essentially, these provide proof (to a server) that the client is in possession of the (supposedly) secret and unique private key of the certificate. No other information contained in the client certificate can be trusted, by default.
You could certainly act as your own CA and do the whole certificate signing process on your client certificates, to prove that a particular client certificate was created by your CA, i.e., based on a particular CA root certificate. However, any server wishing to verify this signature would have to be provided your CA root certificate beforehand. I don't know of any Gemini server that supports such a thing out of the box.