Enhancing TOFU

Stephane Bortzmeyer stephane at sources.org
Mon Mar 8 12:14:06 GMT 2021

Previous message (by thread): [tech] signing when rotating (Was: Re: Enhancing TOFU)
Next message (by thread): Enhancing TOFU
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 05, 2021 at 01:33:49PM +0100,
 nothien at uber.space <nothien at uber.space> wrote 
 a message of 44 lines which said:

> I propose an extension to this, which allows servers to announce
> their intention (in a verifiable way) to change certificates in the
> near future.  Essentially, servers now provide (over Gemini) a
> '/.pubkey' URL where they serve the hash of the public key they will
> use in the near future (which may be the same as the public key they
> use right now).

And Drew deVault who said that using Let's Encrypt was too complicated
:-) Anything that requires such operations does not seem to fit with
the principles of Gemini. (And I speak from experience managing DNSSEC
key rollovers.)

Also, this proposal does not address unplanned emergency changes (such
as one triggered by a compromise of the private key). They are one of
the biggest problems with TOFU.

Previous message (by thread): [tech] signing when rotating (Was: Re: Enhancing TOFU)
Next message (by thread): Enhancing TOFU
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list