Robert "khuxkm" Miles khuxkm at tilde.team
Tue Oct 26 07:44:23 BST 2021
- - - - - - - - - - - - - - - - - - -
October 25, 2021 9:48 PM, "Rohan Kumar" <seirdy at seirdy.one> wrote:
A TLDR: the ecosystem can evolve without changing/breaking the existing
spec. Let's freeze the spec soon!
That is indeed what Solderpunk aims to do (AFAICT), just fixing up the last few corner cases before declaring the spec done and finished.
Speaking of TLS: ome [sic] people from the netsec crowd have bristled at
Gemini's TOFU model, but I don't think fixing that should require
changes in the spec either. Adding e.g. a DHT of some sort doesn't have
to change how the Gemini protocol works; it can simply be a thing users
use to verify certs "out of band" the first time they visit a capsule.
Stuff like Tor hidden services are also a good fit for Gemini (I think
the part of the Gemini Space accessible over Tor is called "Deep Space")
and can mitigate the issues inherent to TOFU without changing the spec.
I'm of the opinion that TOFU is perfectly fine in this scenario. The only thing I think would be good as an addition to Gemini is a way to deprecate a certificate. As it stands, if your capsule gets compromised there is no way to stop clients from recognizing the compromised certificate as valid. That being said, as you mentioned, that's more of a thing that can be decided out-of-band and doesn't really require the Gemini spec to change.
Adding features is typically misguided: it's better to *complement*
Gemini with other protocols suited for other purposes than to *extend*
it. One such protocol is the spartan:// client-to-server protocol.
Gemini can concentrate on supporting server-to-many-client situations
while Spartan can concentrate on client-to-server communication.
(This is not necessarily an endorsement of Spartan; I do have some
issues with it, but that's off-topic).
I feel like that's a mischaracterization of Spartan. In the past, I've described Spartan as "gemini - tls + uploads", because that's basically what it is (barring some things like the =: line type for input links, and the one-character status codes). It's more its own protocol that happens to take design cues from Gemini (Sean, if I'm completely missing the point here, please do tell me, but this is the impression I've gotten so far). Perhaps you meant Titan?
Just my two cents,Robert "khuxkm" Miles