Re: Certificate renewal under TOFU?

Message headers

From: reidrac@sdf-eu.org

Subject: Re: Certificate renewal under TOFU?

Date: Thu, 2 Jun 2022 06:16:12 +0000

Message-ID: <alpine.NEB.2.21.2206020608310.18132@odin.sdf-eu.org>

Message content

On Tue, 31 May 2022, mbays@sdf.org wrote:

[...]
On 2022-05-30, danrl <d@x.gl> wrote:
> What's the guidance on certificate renewal under TOFU?

>

If you just want to extend the expiry date, I think the best thing to do
is to sign a new certificate with the *same* keypair. At least some
clients do TOFU based on the public key, rather than the certificate
itself, and probably all should. You can do this using appropriate
openssl commands -- if you can't find the right commands, I can find
them for you.

That sounds like something that should be part of a Gemini FAQ. I had no

idea you could do it and that some clients would check the public key!

I would also recommend to set the expiry date way into the future, like

say 100 years. Renewing the certificate is certainly one of the problems

of relying on TOFU.

Related

Parent:

Re: Certificate renewal under TOFU? (by mbays@sdf.org on Tue, 31 May 2022 18:38:29 GMT)

Start of thread:

Certificate renewal under TOFU? (by danrl <d@x.gl> on Mon, 30 May 2022 03:31:15 -0000 (UTC))

Children:

Re: Certificate renewal under TOFU? (by mbays@sdf.org on Thu, 02 Jun 2022 17:14:51 GMT)