💾 Archived View for bbs.geminispace.org › u › satch › 1199 captured on 2024-08-31 at 14:25:44. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-08-18)
-=-=-=-=-=-=-
Re: "THE GEMINI PROTOCOL SEEN BY THIS HTTP CLIENT PERSON"
@skyjake
About 2: Thank you for explaining about client certificates using the complete URL prefix. The spec does say this:
That certificate's fingerprint and expiry date are saved in a persistent database, associated with the server's hostname. On all subsequent connections to that hostname, the received certificate's fingerprint is computed and compared to the one in the database.
Which should probably be clarified.
If 4. is another divergence between the spec and real life implementation, that's another change due.
As for 5, on second thought I actually agree that the way proxies currently work is fine - you have to trust your proxy, but you don't have to use one. That's acceptable.
2023-05-28 · 1 year ago
🕹️ skyjake [mod...] · 2023-05-28 at 20:24:
@satch
That [server] certificate's fingerprint and expiry date are saved in a persistent database, associated with the server's hostname.
Yeah, the database of trusted server certificates should in practice include ports. This was actually the cause of a bug in an early version of Lagrange. I wasn't keeping track of the port numbers.
🦀 jeang3nie · 2023-05-29 at 02:26:
Thrig.me had a good point for point response to this, had me laughing the entire time.
— thrig.me/blog/2023/05/29/http-client-person-from-gemini.gmi
On Tofu - I'm of two minds. It's actually more work to implement when writing a client, as most libraries consider CA validation to be the "happy path". That said, we're not exactly hosting bank websites over here. TLS is primarily providing transport security, not identity. Our identities are often anonymous in Geminispace. So to me, the point that using Tofu leads to security implications because of weak identity verification is no point at all.
Connection re-use makes not a bit of sense in context of how Gemini is used.
are these kinds of changes even possible at this point in time?
Well, they are, but not without a lot of pain. Not everyone is likely to update to a newer version of the spec at the same time. Some may not do it at all. So you wind up having to support multiple versions in perpetuity if you want to avoid breaking people's things. Personally, I don't want to break people's things and don't see a need to change the spec at this point.
@mozz yes I found Spartan a much nicer spec to implement, both from a server and a client perspective. I wish it was used as much as Gemini is.
🐝 Addison · 2023-05-29 at 02:48:
His opposition to TOFU strikes me as FUD. Nobody is implementing banking apps in Gemini. TOFU is good enough.
🕹️ skyjake [mod...] · 2023-05-29 at 06:20:
@jeang3nie Yes, Thrig.me's response is certainly worth a read. 😃
🚀 mbays · 2023-05-29 at 07:25:
Maybe we should take this opportunity to finish here the work started on gitlab of finalising the spec? I don't know how well Bubble will work for this kind of discussion, but it's at least more accessible than javascripty gitlab. If we can reach clear reasoned community consensus on the remaining (small) issues, we can hope that Solderpunk would approve and incorporate them into the official spec.
🕹️ skyjake [mod...] · 2023-05-29 at 08:38:
@mbays I think the problem with anyone else but Solderpunk finishing the spec is not with any technical solution, no matter how well-suited. No one but Solderpunk has the authority to do that work.
At best I could see an unofficial community-blessed "amendment" being put forth as a delta on top of the circumlunar specification, purposefully contradicting nothing in the official spec but just tightening things up based on experience from actual server and client implementations. Solderpunk might then at some point be interested in incorporating some of those things into the official specification.
🚀 mbays · 2023-05-29 at 11:21:
@skyjake Solderpunk has the final say, agreed. This would just be to hash out again exactly what is unclear in the spec and see if there can be some consensus on how it should be clarified.
🦀 jeang3nie · 2023-05-30 at 18:53:
@stack1 exactly.
😎 flipperzero · 2023-05-30 at 22:09:
I replied a messload to this whole thing through so many diff platforms. I'll leave a very summarized one here.
I think the guy's heart is in the right place, but he's missing the spirit entirely. The whole thing breathes an air of unwarranted self-important presumed authority. That said, I think there are valid criticisms in terms of security certification or file transfer (although I resent they assume it's ALL text/plain, being the mod of s/music smfh) but some of which @skyjake 's apps have given very accessible solutions to.
That's about it for my say in this, i'm sure i'll have more to post about later lolol.
🧩 ERnsTL · 2023-07-12 at 18:55:
Greetings everyone, the Gemini feature for curl is at risk of being closed: https://github.com/curl/curl/pull/11170 Any takers?
THE GEMINI PROTOCOL SEEN BY THIS HTTP CLIENT PERSON — This is a very interesting blog post by curl maintainer Daniel Stenberg. The suggestions he has for the Gemini protocol are summarized below: * 1. Split the spec into three separate ones: protocol, URL syntax, media type. Expand the protocol parts with more exact syntax descriptions and examples to supplement the English. * 2. Clarify the client certificate use to be origin based, not host name. *