About document signing

[jan6 at tilde.ninja]

May 18, 2020 2:50 PM, "defdefred" <defdefred at protonmail.com> wrote:

> Hello,
> 
> I'm reading Gemini stuff for days now and I feel that the idea of a lighter and safer web is
> marvelous.
> 
> I must confess that TLS is a big issue for me.
> I don't really trust TLS as company/states nowdays use TLS interception and we should consider TLS
> as broken.

well... the spec recommends TOFU verification, which would mean you can safely self-sign your sites, which many do
the TOFU part, as is mentioned in the spec, works by trusting the first cert you see,
so all you'd need to do is get the site ONCE, through a trusted connection, and be done with it, you can just ignore all the CAs and chains or trust and whatnot,
so unless the company/state manages to re-encrypt with the exact SAME KEY, you will see it differ, and can warn user or refuse connection.

PGP isn't a bad idea, but I don't think there's anywhere CLOSE to as much support to PGP APIs than there is to TLS, in various programming languages, and calling an OS program, even when possible, is usually seen as a bad idea...