Can someone please explain to me why some gemini browsers are completely ignoring the Common Name field in certs and requiring domains to be in the Subject **ALTERNATIVE** Name (SAN) field? This feels like it's completely incorrect and broken.
11 months ago
Validating *any* X.509 field while using a TOFU scheme is incorrect and broken, but here we are ๐คทโ. Cargo culting is a powerful force in cybersecurity. ยท 11 months ago
@jsreed5 I found the culprit. Apparently in 2011, there was an rfc published that said if an SAN exists, then the CN should not be checked. I don't understand why this is a thing, but it is: https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4 ยท 11 months ago
https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4
The Gemini protocol specification does not require any particular information to be contained in client or server certificates. I'm guessing that vagueness is resulting in certs being handled different from server to server. ยท 11 months ago