Hey List and especially solderpunk! I just started to read on the certificate stuff and looked at Astrobotany [0] as an example application using client certificates. Their process looks like this: 1. Generate private key 2. Generate a certificate request 3. Submit your CSR via HTTPS to astrobotany, they will then send you a signed certificate 4. Use that certificate to authenticate at astrobotany Now i wonder: Is this the planned way everyone should go? What about self-signed client certificates? I would expect Gemini to use self-signed client certificates for identitiy management, and even more for transient certificates. The documentation on client certificates is mainly ?1.4.3 and the status codes 61 and 62, but no word about how to obtain these client certificates. I think this needs some clarification on how to handle this Regards xq [0] gemini://astrobotany.mozz.us/
Howdy, Yes, massively, you are right. I mentioned this in my recent gemlog post on TLS, please see: gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/tls-musings.gmi This part of the spec needs tightening up, and since we actually have real world implementations of an application using client certificates I consider this a higher priority than some other stuff, which is only a possible future concern yet. I expect most of the major changes to come shortly after the spec unfreeze will relate to client certificates. I have been thinking about the matter and have coded up lots of client certificate related stuff in AV-98 in the past week or so to demonstrate concrete ideas about how we might want this to work. Please be patient until this coming weekend when I'll do a release and make some posts about this. :) Cheers, Solderpunk On Tue, May 19, 2020 at 11:08:09PM +0200, Felix Quei?ner wrote: > Hey List and especially solderpunk! > > I just started to read on the certificate stuff and looked at > Astrobotany [0] as an example application using client certificates. > > Their process looks like this: > 1. Generate private key > 2. Generate a certificate request > 3. Submit your CSR via HTTPS to astrobotany, they will then send you a > signed certificate > 4. Use that certificate to authenticate at astrobotany > > Now i wonder: > Is this the planned way everyone should go? What about self-signed > client certificates? > > I would expect Gemini to use self-signed client certificates for > identitiy management, and even more for transient certificates. > > The documentation on client certificates is mainly ?1.4.3 and the status > codes 61 and 62, but no word about how to obtain these client certificates. > > I think this needs some clarification on how to handle this > > Regards > xq > > [0] gemini://astrobotany.mozz.us/
Hey, > Yes, massively, you are right. I mentioned this in my recent gemlog > post on TLS, please see: > gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/tls-musings.gmi It might be that your server is currently unreachable, i can't connect to port 1965 with IPv4 :( > Please be patient until this coming weekend when I'll do a release and > make some posts about this. :) Okay, sure! I think i'll need the time to understand all of this anyways :D Regards xq
On Tue, May 19, 2020 at 11:17:32PM +0200, Felix Quei?ner wrote: > Hey, > > > Yes, massively, you are right. I mentioned this in my recent gemlog > > post on TLS, please see: > > gemini://gemini.circumlunar.space/users/solderpunk/cornedbeef/tls-musings.gmi > It might be that your server is currently unreachable, i can't connect > to port 1965 with IPv4 :( Whoops, sorry, it literally *just* went down (I navigated to that post to get the URL before sending the email). Honestly, who wrote this buggy thing?! It's back up now. Cheers, Solderpunk
---