Hannu Hartikainen hannu.hartikainen+gemini at gmail.com
Thu Jul 9 15:24:49 BST 2020
- - - - - - - - - - - - - - - - - - -
If you're willing to look at unusual uses of TLS, I'll mention that there'salso an RFC for OpenPGP-based TLS encryption. This is not a recommendation!
https://tools.ietf.org/html/rfc6091
That would allow web-of-trust based infrastructure. But as there are nowidespread implementations, it will be a pain to use in practice.
In my very humble opinion, a community-based distributed trust system issafer than TOFU and more suitable for non-commercial use than CA based PKI.But in practice *any* TLS is much, much safer than plaintext as itcompletely prevents eavesdropping without a full-fledged MitM attack.
A more practical way of building a web of trust upon TOFU would be forbrowsers to export cert fingerprint lists that people can share on theirsites. These could be compared and imported, and with some humaninteraction we should notice when MitM attacks start happening in practice.
-Hannu
On Thu, 9 Jul 2020 at 01:19, Solderpunk <solderpunk at posteo.net> wrote:
Thanks for sharing this! I will read it closely. It's a shame if it's
not widely implemented, but there may well still be good ideas in there,
or details we've overlooked.
Cheers,
Solderpunk
On Wed Jul 8, 2020 at 11:27 PM CEST, Petite Abeille wrote:
On Jul 8, 2020, at 20:25, Phil Leblanc <philanc at gmail.com> wrote:
Yes. Looks interesting, and it goes in the right direction.
Unfortunately, the RFC is already quite old (2014) and according to
Wikipedia, it is only supported by GnuTLS (I didn't check directly).
Do you know if it is already used in some visible applications?
Hmm, no :) Just stumbled upon it on the openssl mailing list, where
someone was asking if it was supported:
RFC 7250 raw public keys?
https://www.mail-archive.com/openssl-users@openssl.org/msg88412.html
There is an open issue for it:
Raw Public Key (RFC 7250) support
https://github.com/openssl/openssl/issues/6929
mbedtls seems to have something:
Support Raw Public Key mode (RFC7250)
https://github.com/ARMmbed/mbedtls/pull/336
-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200709/3128bd33/attachment.htm>