Client certificate musings

Martin Keegan martin at no.ucant.org
Thu May 28 19:28:04 BST 2020

Previous message (by thread): Client certificate musings
Next message (by thread): Client certificate musings
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 28 May 2020, solderpunk wrote:

> I have been having a small semi-crisis-of-confidence regarding the
> apparently unavoidable complexity of speccing a robust and flexible
> mechanism for in-band authentication with client certificates.  Thanks,
> by the way, to everybody who emailed me or made posts of their own in
> response to that post.

> that way, not because there was a clear motivation.  So far nobody has
> used them for anything and it hasn't exactly ruined the experience.
> People have been building interesting interactive things without client
> certs so far.  The most obvious and compelling use case for client
> certificates for me is for people to be able to put up private content
> for their own use (a private bookmarking or to-do app, for example), and
> that doesn't require anything complicated in Gemini at all, it can be
> done ssh style by whitelisting the fingerprint of a self-signed cert, or
> traditional TLS style by setting up your own CA.

There is no need whatsoever for a crisis of confidence. I certainly have 
confidence in your approach to Gemini or I'd not have tried making a 
server in an uphill language like Erlang. The client certificate mechanism
is unfamiliar rather than complex. The unfamiliarity will run into 
friction in terms of developer resistance and the limitations of existing 
code and documentation, but those are only two among many elements in the 
tradeoff. Given time, the limitations of SSL libraries will be better 
understood or obviated.

Maybe the transient cert thing will take off; maybe it won't. Again, time 
will tell and it doesn't need to be resolved any time soon.

I have a pretty clear vision for what I'd like to be able to do with 
Gemini: have a visually tasteful, minimalist, distraction-free reading 
experience for content that is trivial to publish and trivial to keep just 
among my friends, and I feel the ecosystem will be there in a few months 
if not weeks.

Mk

-- 
Martin Keegan, +44 7779 296469, @mk270, https://mk.ucant.org/

Previous message (by thread): Client certificate musings
Next message (by thread): Client certificate musings
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list