Stephane Bortzmeyer stephane at sources.org
Mon Mar 8 12:14:06 GMT 2021
- - - - - - - - - - - - - - - - - - -
On Fri, Mar 05, 2021 at 01:33:49PM +0100, nothien at uber.space <nothien at uber.space> wrote a message of 44 lines which said:
I propose an extension to this, which allows servers to announce
their intention (in a verifiable way) to change certificates in the
near future. Essentially, servers now provide (over Gemini) a
'/.pubkey' URL where they serve the hash of the public key they will
use in the near future (which may be the same as the public key they
use right now).
And Drew deVault who said that using Let's Encrypt was too complicated:-) Anything that requires such operations does not seem to fit withthe principles of Gemini. (And I speak from experience managing DNSSECkey rollovers.)
Also, this proposal does not address unplanned emergency changes (suchas one triggered by a compromise of the private key). They are one ofthe biggest problems with TOFU.