Standard fingerprint format for TLS certificates

Adnan Maolood me at adnano.co
Sat Nov 28 18:07:45 GMT 2020

Previous message (by thread): Does TOFU actually work?
Next message (by thread): Standard fingerprint format for TLS certificates
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gemini software is currently fragmented with regards to certificate
fingerprints. It would be nice if there was an agreed upon way to
calculate fingerprints so that users can easily compare fingerprints
across different software.

Here are some potential fingerprint methods.

- Sha512 hash of the certificate, encoded in hex with ':' between each
  octet.
  Pros: matches the output of openssl x509 -sha512 -fingerprint
  Cons: the resulting fingerprint is very long
- Sha512 hash of the certificate, encoded in base64.
  Pros: easy to encode and decode
  Cons: still somewhat long
- Sha256 hash of the certificate, encoded in base64.
  Pros: shorter than the Sha512 hash
  Cons: less secure than Sha512?

Note that this is the hash of the entire certificate, not just the
public key.

I think we should choose a fingerprint method and stick with it for
consistency.

Previous message (by thread): Does TOFU actually work?
Next message (by thread): Standard fingerprint format for TLS certificates
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list