Question about TLS certificate policy

Ryan Westlund rlwestlund at gmail.com
Mon Nov 9 17:06:34 GMT 2020

Previous message (by thread): Statement of intent regarding TLS server name identification (SNI)
Next message (by thread): Question about TLS certificate policy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been reading about Gemini and part of me likes the decision to
abandon certificate authorities in favor of TOFU, but I have a
question about how this works. The Gemini specification says:

> If the certificate is not the one previously received, but the previous certificate's expiry date has not passed, the user is shown a warning, analogous to the one web browser users are shown when receiving a certificate without a signature chain leading to a trusted CA.

Doesn't this mean that the replacement certificate must be deployed at
*exactly* the right time to avoid errors? If you deploy it even a day
ahead of time, users will see errors? And users will see errors if you
are late to replace it?

Previous message (by thread): Statement of intent regarding TLS server name identification (SNI)
Next message (by thread): Question about TLS certificate policy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list