Standard fingerprint format for TLS certificates

Robert "khuxkm" Miles khuxkm at tilde.team
Sat Nov 28 23:08:47 GMT 2020

Previous message (by thread): Standard fingerprint format for TLS certificates
Next message (by thread): Standard fingerprint format for TLS certificates
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

November 28, 2020 1:07 PM, "Adnan Maolood" <me at adnano.co> wrote:

> Gemini software is currently fragmented with regards to certificate
> fingerprints. It would be nice if there was an agreed upon way to
> calculate fingerprints so that users can easily compare fingerprints
> across different software.
> 
> Here are some potential fingerprint methods.
> 
> - Sha512 hash of the certificate, encoded in hex with ':' between each
> octet.
> Pros: matches the output of openssl x509 -sha512 -fingerprint
> Cons: the resulting fingerprint is very long
> - Sha512 hash of the certificate, encoded in base64.
> Pros: easy to encode and decode
> Cons: still somewhat long
> - Sha256 hash of the certificate, encoded in base64.
> Pros: shorter than the Sha512 hash
> Cons: less secure than Sha512?
> 
> Note that this is the hash of the entire certificate, not just the
> public key.
> 
> I think we should choose a fingerprint method and stick with it for
> consistency.

The one I prefer is `HASH_METHOD:HASH`, where `HASH_METHOD` is the method of the hash (like
`SHA256` or `SHA512`) and `HASH` is the fingerprint with that hash method (without any `:`
separators).

Just my two cents,
Robert "khuxkm" Miles

Previous message (by thread): Standard fingerprint format for TLS certificates
Next message (by thread): Standard fingerprint format for TLS certificates
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list