Trust model for addresses and certificates (DANE etc..)
Carsten Strotmann
carsten at strotmann.de
Fri May 29 21:37:16 BST 2020
Hi,
Jason McBrayer <jmcbray at carcosa.net> writes:
> southerntofu at thunix.net writes:
>
>> Using DANE to distribute certificates reduces the attack
>> surface, because the
>> DNS is already a SPOF for a gemini server. I personally believe
>> the gemini spec
>> should strongly encourage admins to use DANE to distribute
>> their server
>> certificates.
>
> Could you provide a minimal sample implementation of how a
> client would
> implement this? Just to demonstrate feasibility and to provide a
> guide
> to other client authors?
I can't give a reference implementation, but as far as I know DANE
can
be almost 100% delegated to OpenSSL or GNUTLS.
The DANE User Mailing List
<https://mail.sys4.de/mailman/listinfo/dane-users> is a good place
to
get implementation help, sometimes directly from the RFC and
OpenSSL
authors.
Greetings
Carsten
More information about the Gemini
mailing list