<-- back to the mailing list

Updated recommendations regarding TOFU & TLS

Petite Abeille petite.abeille at gmail.com

Thu Mar 4 17:59:25 GMT 2021

- - - - - - - - - - - - - - - - - - - 
On Mar 4, 2021, at 18:45, Drew DeVault <sir at cmpwn.com> wrote:
https://en.wikipedia.org/wiki/Trust_on_first_use
See also section 4.2 of the Gemini specification:

Gemini keeps on repeating 'tofu', 'tofu', 'tofu' — like a talisman.

And each and every client understand it differently — if at all.

To add insult to injury, it's purely optional. Optional! While TLS is mandatory!

It's fantastic that servers generates certificates on the fly — trivial things first.

But then what? What's the operating model? Specifically. Consistently. Across the board.

If each client-server pairs have their own view on how to handle TLS — then Gemini has nothing at all.

Just a giant mess. With mandatory TLS pain for everyone.

I don't get it.

So be it.

±0¢