nervuri nervuri at disroot.org
Sun Jan 10 12:54:34 GMT 2021
- - - - - - - - - - - - - - - - - - -
Two privacy-related suggestions:
TLS 1.3 encrypts client certs, TLS 1.2 doesn't. On 1.2 your ISP might see the user you log in as, your e-mail address and whatever other information you (are required to) put in the cert. Please consider only allowing client certificates over TLS 1.3 (and newer).
The spec says:
Clients can validate TLS connections however they like
As long as CA-based validation is allowed in Gemini, consider adding an exception along the lines of "Thou shalt not make OCSP requests", as they are notoriously bad for privacy, add latency and are easy to block by attackers.