On certificates and validation

Michael Lazar lazar.michael22 at gmail.com
Fri Nov 27 05:06:27 GMT 2020

Previous message (by thread): On certificates and validation
Next message (by thread): [ANN] Twink, a CLI Gemini client
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Nov 26, 2020 at 7:04 PM John Cowan <cowan at ccil.org> wrote:
>
> On Thu, Nov 26, 2020 at 1:41 PM Michael Lazar <lazar.michael22 at gmail.com> wrote:
>
>> I fully agree that the expiration date is useless in TOFU schemes.
>
> However, they make all kinds of sense in client certs. If you see an expired
> cert coming from a client, it is most likely a replay attack (or a broken
> client). If the client cert is meant for user identification, you will of
> course need to provide the hash of the newly created cert to the server
> administrator.

I think you're referring to a compromised client certificate and not a replay
attack [0]. If you truly mean replay attack as in a MITM where neither the
client or server has been compromised, I would be *very* interested in learning
more about this because I thought the TLS handshake was resistant to this type
of replay.

On compromised client certificates: A compromised client certificate is in the
same boat that a compromised server certificate would be in. There is no
recourse within the TOFU model. You can rotate the cert, but the expiration
date doesn't protect you against anything. Sending new fingerprints to the
server administrator out-of-band would surely work, but you are no longer using
trust on first use.

You can argue that TOFU is a crappy model for client certificates since client
certs are typically used to grant access to verified identities. I would
mostly agree with that, although working on astrobotany has shown me that there
*are* at least some valid use cases for client TOFU schemes.

What this comes down to - *I think* - is that people are conflating trust on
first use with "anything but the web's root CAs". There are many valid
ways to establish trust, each with their own tradeoffs:

- PKI with a small number of universally recognized root CAs (the web)
- PKI with self-managed CAs
- Trust on first use
- Passing around certificate fingerprints over email
- ...

These can be mixed and matched between the server and client sides of the
connection, too.

- Michael

[0] https://en.wikipedia.org/wiki/Replay_attack

Previous message (by thread): On certificates and validation
Next message (by thread): [ANN] Twink, a CLI Gemini client
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list