[tech] [spec] TLS statistics

Stephen stephen at drsudo.com
Wed Dec 30 19:19:22 GMT 2020

Previous message (by thread): [tech] [spec] TLS statistics
Next message (by thread): [tech] [spec] TLS statistics
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> * 66 certs are signed by Let's Encrypt
> * 35 pass OpenSSL validation
> * 359 fail OpenSSL validation (not signed by a trusted CA, expired, etc)

66 is more Let's Encrypt certs than I would have guessed. For better or 
worse, they seem a bit out of place in gemini. When I was setting up my 
server, I was almost going to use my Let's Encrypt cert, but I'm glad I 
didn't. The Let's Encrypt method is antithetical to the TOFU model of 
certs. Using a trusted CA is irrelevant and regularly updating your 
certs (often a month in advance of expiry) is not good with TOFU.

> *   3 : Not After 9999

I wish I had gone this way. I think with TOFU this is the only sane way 
(essentially same as ssh host keys).

~Stephen

Previous message (by thread): [tech] [spec] TLS statistics
Next message (by thread): [tech] [spec] TLS statistics
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list