TLS, TOFU and the Gemini security model

Bradley D. Thornton Bradley at NorthTech.US
Wed Sep 25 00:58:06 BST 2019

Previous message (by thread): TLS, TOFU and the Gemini security model
Next message (by thread): TLS, TOFU and the Gemini security model
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/24/2019 10:48 AM, solderpunk wrote:
> On Tue, Sep 24, 2019 at 10:19:45AM -0400, Michael Lazar wrote:
>> I want to push back on the idea of TOFU certificates a little bit. Mainly, I
> 
> You are right that, because the CA approach to certificate validation is
> so ingrained in the web world, it's actually likely to be much, much
> easier to correctly implement than TOFU.  And while there are valid
> criticisms of the CA system, at the very least Gemini could claim to be
> no worse than the web.
> 
> How do other people feel about this?

I'm basically along for the ride here, but would suggest that perhaps
more than one model might be specified as an implementation at the
option of the developers? Clients would be able to negotiate based on
what the servers they encounter supports?

I do lean towards the CA system. It's known and devs are familiar with
it, where the concept of adoption is concerned.

And having Elpher need to downgrade its security model... I dunno.

> 
> What proportion of extant Gemini servers are already using Let's Encrypt
> certs?
> 

V'Ger does.

-- 
Bradley D. Thornton
Manager Network Services
http://NorthTech.US
TEL: +1.310.421.8268

Previous message (by thread): TLS, TOFU and the Gemini security model
Next message (by thread): TLS, TOFU and the Gemini security model
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list