TLS certificate sizes in Geminispace

[solderpunk]

----- Forwarded message from solderpunk <solderpunk at SDF.ORG> -----

Date: Fri, 26 Jun 2020 15:57:59 +0000
From: solderpunk <solderpunk at SDF.ORG>
To: Gemini application layer protocol <gemini at lists.orbitalfox.eu>
Subject: Re: TLS certificate sizes in Geminispace

On Fri, Jun 26, 2020 at 05:05:22PM +0200, Felix Queißner wrote:
> > This makes me think it's an error with the server, as opposed to the ED22519 key; I'd love to try another server with this type of certificate for testing.
> Using Kristall works and it's blazingly fast, seems to be a correct
> server configuration
>

Hmm, I think SDF's mail server must be having issues, I'm not seeing
other posts to this thread, even my own replies, but I can see them at
Sloum's Gemini mirror of the list.  I'll send this now in the hopes it
gets through eventually...

I think perhaps it is, indeed, the case that older versions of OpenSSL
will choke on this.  That *sucks*.  I know this is a big problem with
the web, but the web, by virtue of being mostly a commercial enterprise,
needs to support janky old clients because the people using them still
have good money.  I figured that since there *are* no janky old Gemini
clients, we would not be bitten by this kind of thing.

Okay, perhaps everybody jumping to ED22519 right now is not viable, but
it should be a medium-term goal and, in the mean time, we can figure out
what the smallest possible widely supported certificate is (without
doing silly things like using tiny key sizes), and build tools / write
docs help folks generate them.

Cheers,
Solderpunk