nervuri nervuri at disroot.org
Wed Apr 28 18:47:29 BST 2021
- - - - - - - - - - - - - - - - - - -
Geminispace is (currently) small enough that we can afford to downloadall known capsules' TLS certificates and use them to generate truststores for Gemini clients. If verified via multiple network perspectives,using a pre-generated trust store is a major improvement over blindlytrusting-on-first-use.
I wrote a set of shell scripts to do this:https://tildegit.org/nervuri/trust-store-generators
This is their output (which I will update every few days):https://tildegit.org/nervuri/trust-stores
The details are in the README files, so I won't repeat myself too much.The idea is:
1. download the list of hosts from gemini://geminispace.info/known-hosts2. download those hosts' TLS certificates (and double-check each one via Tor, whenever possible);3. generate trust stores for various Gemini clients (to start with: Agunua, Amfora and Lagrange).
Contributions are welcome. Requests to add specific clients are alsowelcome (I don't know which ones are the most popular). Existingscripts (ex: [1]) can be used as templates to add trust stores for moreclients.
[1] https://tildegit.org/nervuri/trust-store-generators/src/branch/master/lagrange/generate-trust-store.sh
For each client there are instructions on how to use the generated truststore and merge it with your own (ex: [2]). Merging at the moment isquite simplistic; a mismatch-aware merging method is something I'd liketo develop later on.
[2] https://tildegit.org/nervuri/trust-stores/src/branch/master/agunua/INSTRUCTIONS.md
Of course, you don't need to trust that I am publishing the correctcertificates and trust stores. The scripts should be easy to understand(if not, tell me - I consider this to be very important), so run themyourselves and check if my results are replicated from your own networkperspectives. If your results don't coincide with what I've published,please let me know. And if you decide to run a public repo, tell meabout it. We could set up automatic comparisons of published data tonotify us of inconsistencies.
What I hope to see eventually is client developers bundlingpre-generated trust stores with their clients. This will go a long waytowards addressing TOFU's first-connection problem.
Probably the big issue with this idea is that client developers may notwant to bundle, for instance, Let's Encrypt cert fingerprints, as theychange every 2-3 months. They may only want to include long-lived (andlong-expired) certificates. So, to allow for this, all generatorscripts accept certificate expiry boundaries as arguments (see theREADME).
As a side-effect, this project will give us a history of certificates inGeminispace. And aside from the certificates themselves, we have tablescontaining details about each certificate, in markdown [3] and CSV [4]formats.
[3] https://tildegit.org/nervuri/trust-stores/src/branch/master/cert-details.md[4] https://tildegit.org/nervuri/trust-stores/raw/branch/master/cert-details.csv
This project delivers on xq's idea of a distributed trust system [5],because the "certs" directory (containing PEM-encoded certs withfilenames corresponding to the host:port [6]), can be freely shared andre-created. The main difference from xq's proposal is that no changesto Gemini clients are required. We don't require the involvement ofclient developers at all; anyone can write scripts to generate truststores for any client.
Of course, client developers are the ones best suited to write thesescripts, so I encourage them especially to contribute and, ideally, tobundle trust stores with their clients (or have a secure, built-inmethod of downloading a verified Geminispace trust store).
[5] gemini://random-projects.net/blog/2021-03-03-distributed-trust.gemini[6] https://tildegit.org/nervuri/trust-stores/src/branch/master/certs
P.S. The "certs" directory is currently at 3.4 MB for 839 certificates.It compresses to 560 KB.