Comment by 🛰️ repeater
@skyjake: I think I'm basically just asking for a UI very similar to a typical password manager, where passkeys are freshly generated for each site the same way passwords should be. That would probably be ideal.
I can't even begin to justify the work required to implement such a thing given how few sites can be logged into at the moment anyway though, so…perhaps you did the right thing after all, the more I think about it! I'll stop my ranting now.
Jul 16 · 5 months ago
6 Later Comments ↓
When it comes to the identities sidebar, yeah it's pretty rudimentary. It becomes cumbersome if you have lots of certificates, and definitely should be worked on.
@skyjake: Ah, didn't mean to race you on the replies. Sorry about that.
I was unaware that some sites use the common name in the certificate. That certainly changes things a bit. Thank you for the correction there, and for your thoughts in general.
@repeater & skyjake: good idea but please don't forget the other browsers. So if say there is a common format for cert per site, I could copy e.g. a folder into my Gemini.koplugin or Amfora or all the other browsers people use.
It sounds to my pleeb brain as a formal spec change, or will devs start using these per site folders for per site scripts, per site stylesheets, etc.
Sites that use certificates should probably mention what they expect the certificate to contain (including optional things). I agree that the default should be to create a new certificate and key per site (and I think should probably use the same key algorithm and signature algorithm as the server's certificate by default since this is most likely to be compatible with the server), but it should be possible to import any X.509 certificate that you want to as long as you have the corresponding private key.
I did make up a format for transfering certificates, bookmarks, and other things between different browsers, although it is not currently in use. However, if the formats used by other browsers are known, a program can be written to convert to/from the format.
According to gemini spec:
Clients MUST NOT automatically generate a client certificate and use it to repeat the request without the active involvement of the user. Clients MUST NOT use a client certificate generated in response to this status code for a request to a different host, a different port, or a path on the same host and port which is above the the path of the URL in the original request unless directed to do so by the user.
Unless I'm misinterpreting this, the protocol already enforces different client certificates for different hosts. And that would be great news from a privacy standpoint, because otherwise using the same client certificate everywhere would be an absolutely distinct fingerprint, not worthy of a protocol that claims to address privacy issues!
Thank you very much for bringing up this point avan. I will now be using a different (certificate-free) browser for regular browsing, than I do for posting.
@zzo38: From what I'm reading, the spec seems to be all but set in stone, so your voluntary approach looks like the best hope.
Original Post
So is there any downside to re-using the same certificuite on multiple sites? In theory would it allow two severs communicating to realize that i am the same user and thus track me? Lagrange makes it very easy to use the same certifucute and i feel like making new ones for every site would be a little cluttered. If i should be using a diferent one on each, wouldn't it be best if lagrange made the process less manual?