Removing expiry dates for TOFU

Hannu Hartikainen hannu.hartikainen+gemini at gmail.com
Thu Jul 9 15:24:49 BST 2020

Previous message (by thread): Removing expiry dates for TOFU
Next message (by thread): Removing expiry dates for TOFU
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you're willing to look at unusual uses of TLS, I'll mention that there's
also an RFC for OpenPGP-based TLS encryption. This is not a recommendation!

https://tools.ietf.org/html/rfc6091

That would allow web-of-trust based infrastructure. But as there are no
widespread implementations, it will be a pain to use in practice.

In my very humble opinion, a community-based distributed trust system is
safer than TOFU and more suitable for non-commercial use than CA based PKI.
But in practice *any* TLS is much, much safer than plaintext as it
completely prevents eavesdropping without a full-fledged MitM attack.

A more practical way of building a web of trust upon TOFU would be for
browsers to export cert fingerprint lists that people can share on their
sites. These could be compared and imported, and with some human
interaction we should notice when MitM attacks start happening in practice.

-Hannu

On Thu, 9 Jul 2020 at 01:19, Solderpunk <solderpunk at posteo.net> wrote:

> Thanks for sharing this!  I will read it closely.  It's a shame if it's
> not widely implemented, but there may well still be good ideas in there,
> or details we've overlooked.
>
> Cheers,
> Solderpunk
>
> On Wed Jul 8, 2020 at 11:27 PM CEST, Petite Abeille wrote:
> >
> >
> > > On Jul 8, 2020, at 20:25, Phil Leblanc <philanc at gmail.com> wrote:
> > >
> > > Yes. Looks interesting, and it goes in the right direction.
> > > Unfortunately, the RFC is already quite old (2014)  and according to
> > > Wikipedia, it is only supported by GnuTLS (I didn't check directly).
> > >
> > > Do you know if it is already used in some visible applications?
> >
> > Hmm, no :) Just stumbled upon it on the openssl mailing list, where
> > someone was asking if it was supported:
> >
> > RFC 7250 raw public keys?
> > https://www.mail-archive.com/openssl-users@openssl.org/msg88412.html
> >
> >
> > There is an open issue for it:
> >
> > Raw Public Key (RFC 7250) support
> > https://github.com/openssl/openssl/issues/6929
> >
> >
> > mbedtls seems to have something:
> >
> > Support Raw Public Key mode (RFC7250)
> > https://github.com/ARMmbed/mbedtls/pull/336
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200709/3128bd33/attachment.htm>

Previous message (by thread): Removing expiry dates for TOFU
Next message (by thread): Removing expiry dates for TOFU
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list