Using normal tls certificates with gemini

Alex // nytpu alex at nytpu.com
Mon Sep 21 20:04:22 BST 2020

Previous message (by thread): Announcing gmni, a line-mode gemini browser and curl-esque utility program
Next message (by thread): Using normal tls certificates with gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey everybody,

For my gemini capsule's tls setup, I just used my Let's Encrypt
certificate since I already had it set up for my web site. However,
after reading deeper into server setup with gemini, I discovered that
I'm probably adding a lot of extra request overhead by using a
certificate from a CA instead of self-signed. Now my problem is that if
I change out the certificate, then people that have previously visited
my site may think it is compromised because the certificate changed and
most clients are TOFU. Should I change out the certificate or is it fine
to leave it as is?

As an additional question, if I was writing a more advanced gemini
client, should I validate cert chains if they're availaible or only use
TOFU on the fingerprint and ignore chains entirely? The spec just says
to validate however you want, but what's the community's recommendation?

-- 
Alex // nytpu
alex at nytpu.com
GPG Key: https://www.nytpu.com/files/pubkey.asc
Key fingerprint: 43A5 890C EE85 EA1F 8C88 9492 ECCD C07B 337B 8F5B
https://e-mail.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200921/2c288e16/attachment.sig>

Previous message (by thread): Announcing gmni, a line-mode gemini browser and curl-esque utility program
Next message (by thread): Using normal tls certificates with gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list