TOFU recommendations for Gemini clients

colecmac at protonmail.com colecmac at protonmail.com
Thu Oct 1 22:55:13 BST 2020

Previous message (by thread): TOFU recommendations for Gemini clients
Next message (by thread): TOFU recommendations for Gemini clients
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Drew,

You might be interested in a gemlog post I wrote a while back, with basically
the same topic, it's my TOFU recommendations for Gemini.

gemini://makeworld.gq/gemlog/2020-07-03-tofu-rec.gmi

My recommendations are pretty similar to yours. A few differences:

- I don't specify a file/storage format
- The cert fingerprint is generated from just the SPKI section of the cert,
   not the entire thing. See the post for rationale.
- The port is also stored (host vs hostname) so that different ports can
   use different certs
- I don't make any distinction between temporary and always trust
- I mention SHA-256, but that's just an implementation detail

I also noticed that your flow doesn't seem to update the host data if the
cert has expired, it just allows the request to continue. I assume that's
an error? Or maybe I'm misreading.

Would be happy to hear about what you think of my recommendations! I hope
they're useful, I've been trying to spread them on Gemini since I wrote them.

Cheers,
makeworld

Previous message (by thread): TOFU recommendations for Gemini clients
Next message (by thread): TOFU recommendations for Gemini clients
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list