Gary Johnson lambdatronic at disroot.org
Tue Jul 21 04:11:22 BST 2020
- - - - - - - - - - - - - - - - - - -
I was under the impression that the Gemini spec already made itmandatory to make CNs match the requested domain name. That's why Iimplemented SNI in Space Age. Here's the relevant section of the spec:
From gemini://gemini.circumlunar.space/docs/specification.gmi:-----------------------------------------------------------------4 TLS
Use of TLS for Gemini transactions is mandatory.
Use of the Server Name Indication (SNI) extension to TLS is alsomandatory, to facilitate name-based virtual hosting.-----------------------------------------------------------------
If I'm misunderstanding something here, please clarify.
Thanks, Gary
Alex Schroeder <alex at gnu.org> writes:
On Sun, 2020-07-19 at 15:57 +0200, Solderpunk wrote:
I still wonder, though, if it doesn't make sense to check the domain
names and expect them to match (AV-98 does this, for what it's
worth),
mostly just to help guard against configuration errors and things
like
that?
I don't know. Do we HAVE to check? If we only have to check when the
common name is an actual domain, how do we detect that, regular
expressions? It seems to run counter to what TOFU promised.
I fell it should be OK for transjovian.org to serve a wiki, and for
alexschroeder.ch:1965 to show that wiki, even though it uses the
certificate I used for transjovian.org. If the server domains have to
match, then I have to do the SNI thing and server different
certificates and that's going to make certificates harder, again.
Please don't do this.
-- GPG Key ID: 7BC158EDUse `gpg --search-keys lambdatronic' to find meProtect yourself from surveillance: https://emailselfdefense.fsf.org=======================================================================() ascii ribbon campaign - against html e-mail/\ www.asciiribbon.org - against proprietary attachments
Please avoid sending me MS-Office attachments.See http://www.gnu.org/philosophy/no-word-attachments.html