TOFU recommendations for Gemini clients

Drew DeVault sir at cmpwn.com
Thu Oct 1 22:58:24 BST 2020

Previous message (by thread): TOFU recommendations for Gemini clients
Next message (by thread): [ANN] New gtk client, with colors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu Oct 1, 2020 at 5:55 PM EDT,  wrote:
> - I don't specify a file/storage format

Yeah, it's not necessary for us to standardize, but for what it's worth
at least one other client has implemented my known_hosts format and I
moved it to a more general location (~/.local/share/gemini), so we have
a chance to establish a software agnostic trust store if we so desire.

> - The cert fingerprint is generated from just the SPKI section of the
> cert, not the entire thing. See the post for rationale.

Aye, your rationale is good. Like I mentioned, the reason I hash the
whole thing is to match the output of openssl x509 -sha512 -fingerprint,
so that it's easier to independently verify the fingerprint.

The ability for the server operator to replace the cert with a fresh one
with the same PK and have the TOFU entry remain trusted is interesting,
but seems fraught with some risk. In any case, I'm of the opinion that
operators should never directly handle certificate maintenance in a TOFU
system.

> - The port is also stored (host vs hostname) so that different ports can
> use different certs

Good call, I'll think about this.

> - I mention SHA-256, but that's just an implementation detail

I just went with SHA-256 because I don't expect these files to be
hand-edited often and the hash, while longer and more cumbersome, is
more likely to be useful for longer.

> I also noticed that your flow doesn't seem to update the host data if
> the cert has expired, it just allows the request to continue. I assume
> that's an error? Or maybe I'm misreading.

The first step is to validate the certificate independently of the trust
store. If it has expired, it would fail this step. Other things checked
here include the valid hostnames, desired hashing algorithms, or
anything else you find it useful to validate. Technically we don't even
need to store the expiration.

So yeah, the known hosts data does not get updated when the cert
expires, but the expired cert would not be trusted anyway.

> Would be happy to hear about what you think of my recommendations! I
> hope they're useful, I've been trying to spread them on Gemini since I
> wrote them.

Thanks for sharing! I'll add a link to my article.

Previous message (by thread): TOFU recommendations for Gemini clients
Next message (by thread): [ANN] New gtk client, with colors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list