💾 Archived View for station.martinrue.com › clseibold › 260c9d02cea64a188dfd46550fa1ee34 captured on 2024-08-31 at 14:11:11. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-08-18)

-=-=-=-=-=-=-

👽 clseibold

Can someone please explain to me why some gemini browsers are completely ignoring the Common Name field in certs and requiring domains to be in the Subject **ALTERNATIVE** Name (SAN) field? This feels like it's completely incorrect and broken.

11 months ago

Actions

👋 Join Station

3 Replies

👽 mozz

Validating *any* X.509 field while using a TOFU scheme is incorrect and broken, but here we are 🤷‍. Cargo culting is a powerful force in cybersecurity. · 11 months ago

👽 clseibold

@jsreed5 I found the culprit. Apparently in 2011, there was an rfc published that said if an SAN exists, then the CN should not be checked. I don't understand why this is a thing, but it is: https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4 · 11 months ago

https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4

👽 jsreed5

The Gemini protocol specification does not require any particular information to be contained in client or server certificates. I'm guessing that vagueness is resulting in certs being handled different from server to server. · 11 months ago