Hi All, Does anyone know of a way to use my ssh RSA key-pairs as my identity for Gemini? Thanks, Chris
Chris McGee <newton688 at gmail.com> writes: > Does anyone know of a way to use my ssh RSA key-pairs as my identity for > Gemini? Hi Chris, Any Gemini capsule may choose to prompt your browser for a client certificate. These can often be provided as either temporary or permanent certs if your browser supports this feature. While many browsers will auto-generate certs for you on the fly if requested, you can also usually provide your own on a capsule by capsule basis. If you want to use an existing certificate on your machine for one or more Gemini capsules, you are free to do so. Just add them to your browser's certificate collection. Unfortunately, an SSH RSA key-pair isn't an X.509 SSL certificate, which is what you need to give your Gemini browser. SSH produces/uses a public key file and a private key file. For Gemini, you'll need a certificate file (which contains the public key plus some ownership and signing metadata) as well as a private key file. I hope that helps. Happy hacking, Gary -- GPG Key ID: 7BC158ED Use `gpg --search-keys lambdatronic' to find me Protect yourself from surveillance: https://emailselfdefense.fsf.org ======================================================================= () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Why is HTML email a security nightmare? See https://useplaintext.email/ Please avoid sending me MS-Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
On Fri, Jul 9, 2021, at 9:30 AM, Chris McGee wrote: > Hi All, > > Does anyone know of a way to use my ssh RSA key-pairs as my identity for Gemini? I don't think that's in the spec. It's all about TLS. -- Matthew Graybosch gemini://starbreaker.org "The lies you tell yourself are the lies that define you." #include <disclaimer.h>
On Fri, Jul 9, 2021 at 11:46 AM Matthew Graybosch <contact at starbreaker.org> wrote: > > > Does anyone know of a way to use my ssh RSA key-pairs as my identity for > Gemini? > > I don't think that's in the spec. It's all about TLS. > > I know that I'm relatively new to Gemini. I'm wondering if there were reasons why SSH wasn't chosen as the transport for Gemini, like git? SSH doesn't have the certificate expiry issue, for example.
On Fri, Jul 09, 2021 at 11:59:35AM -0400, Chris McGee <newton688 at gmail.com> wrote a message of 40 lines which said: > I'm wondering if there were reasons why SSH wasn't chosen as the > transport for Gemini, like git? SSH doesn't have the certificate > expiry issue, for example. [Warning: I'm not Solderpunk but I try to impersonate him.] The expiration is not really an issue since you can always create certificates with ridiculous durations (20 years...). Otherwise, the big problem with SSH is there are much less available libraries, compared to TLS.
On Fri, Jul 9, 2021 at 2:43 PM Stephane Bortzmeyer <stephane at sources.org> wrote: > Otherwise, the big problem with SSH is there are much less available > libraries, compared to TLS. > I think the picture may have changed a bit in the last few years. There appears to be mature libraries available for C (libssh), Java (JSCH), Go (x/crypto/ssh) and Python, probably many others. It would be nice to re-use my identities and trusts that I use for ssh, git and gerrit for gemini (and other protocols too) with my own per-host configurations. Another interesting side effect of using ssh as the transport is that you could use ssh to script interactions with a gemini server because the protocol is so simple, no need to implement gemini versions of curl to do that. Similarly, setting up a gemini server could be as simple as setting up ssh with a shell script to follow the protocol and echo out the page for a given URI.
July 9, 2021 9:30 AM, "Chris McGee" <newton688 at gmail.com> wrote: > Hi All, > > Does anyone know of a way to use my ssh RSA key-pairs as my identity for Gemini? As everyone else has said, Gemini uses TLS and not SSH. However, nobody seems to have mentioned you could just sign a TLS certificate with your private key? You would simply use a command like the following: openssl req -x509 -sha256 -days 3650 -key privkey.pem -out mycert.crt That would generate a certificate with your existing private key. Just my two cents, Robert "khuxkm" Miles
---
Previous Thread: how to submit multi-line long form text to gemini?