Ditching mandatory TLS

[Baschdel]

On 04.07.20 23:59, solderpunk wrote:
> TLS is baked in pretty deep.

Someone who implements Gemini over <TLS_alternative> could if that 
alternative didn't offer anything that can be a drop in replacement for 
client certificates do a negotiation protocol before doing the usual 
Gemini request.

That negotiation would probably look something like this:

server sends some data. (That could also be the servers public key and a 
payload that verifys the servers identity)

client signs it and reply's with the signature and its public key or a 
well known placeholder that means "no certificate"

(I not even spend two minutes of thinking on this, so don't assume this 
is THE way to do it)


What I want to say is that while not easy it also isn't impossible to 
replace TLS.

(If that someone wrote a good library for this in C (or at least with a 
c API) it could be bound to most languages people are already writing 
Gemini software in (the replacement crypto library has to be ported and 
clients and servers be extended to handle the new underlying protocol 
anyway).


Just throwing the idea out there, have a nice Evening!

- Baschdel