Using normal tls certificates with gemini

[acdw]

On 2020-09-21 (Monday) at 19:04, Alex // nytpu <alex at nytpu.com> wrote:

> Hey everybody,
> 
> For my gemini capsule's tls setup, I just used my Let's Encrypt
> certificate since I already had it set up for my web site. However,
> after reading deeper into server setup with gemini, I discovered that
> I'm probably adding a lot of extra request overhead by using a
> certificate from a CA instead of self-signed. Now my problem is that if
> I change out the certificate, then people that have previously visited
> my site may think it is compromised because the certificate changed and
> most clients are TOFU. Should I change out the certificate or is it fine
> to leave it as is?

IMHO, you're fine as-is. I think I changed out breadpunk.club's cert when the Let's Encrypt one for HTTPS updated/changed, but I don't think you have to worry about it til then, if even then. There might be  more advanced statistics for who has a full cert vs. self-signed around somewhere, though.

> 
> As an additional question, if I was writing a more advanced gemini
> client, should I validate cert chains if they're availaible or only use
> TOFU on the fingerprint and ignore chains entirely? The spec just says
> to validate however you want, but what's the community's recommendation?

Again, IMHO, but I'd just do TOFU validation on the fingerprint ... unless you want to maybe be the *most* advanced gemini client out there!

-- 
~ acdw
acdw.net | breadpunk.club/~breadw