Minimum requirements for client certificates

[Kevin Sangeelee]

I think that, if a server requires a subject and no subject is given, then
it is sensible to say that the certificate is not authorised, in much the
same way that failing to provide a username would render a traditional
login unauthorised. I don't see that as misleading, and it would seem an
application specific matter to get appropriate credentials from the user.

Kevin

On Mon, 31 Aug 2020 at 17:52, Solderpunk <solderpunk at posteo.net> wrote:

> I think it goes without saying that at the absolute minimum a Gemini
> client certificate ought to be a valid x509 certificate.  I did look
> into this at some stage and IIRC the Issuer needs to be non-empty but
> the Subject does not.  If that is indeed the case, then I'm not sure we
> should mandate anything further.  As makeworld said, such certificates
> might not be suitable for particular applications which make use of the
> Subject.  I guess the appropriate server response there would be 61?  62
> doesn't seem to apply since the certificate is technically valid.  But
> this does make the "CERTIFICATE NOT AUTHORISED" name for 61 misleading.
> Perhaps it ought to be "CERTIFICATE NOT ACCEPTED"?
>
> Cheers,
> Solderpunk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200901/8f9cd668/attachment.htm>