Re: Certificate renewal under TOFU?

Message headers

From: Matthew Ernisse <matt@going-flying.com>

Subject: Re: Certificate renewal under TOFU?

Date: Thu, 23 Jun 2022 12:34:55 -0000 (UTC)

Message-ID: <slrntb8nff.23p.matt@imladris.colo.ub3rgeek.net>

Message content

On Tue, 21 Jun 2022 09:44:53 +0200, tpt wrote:

On 18-Jun-22 20:24, danrl wrote:
> On 2022-06-02, mbays@sdf.org <mbays@sdf.org> wrote:
>> gemini://gemini.thegonz.net/certRecs.gmi
>
> This is very helpful. Thank you.
>
> Although long validity times for certs make me uneasy when there is no
> revocation lists, which brings us back to either PKI or DANE. Both seem
> better suited for the job than TOFU to me. Luckily, we can combine them
> (somewhat).

>

Hypothetically speaking, what would be the arguments against using DANE
for Gemini? On first glance it seems like a perfect thing for the job.

I don't seem to have the discussion in my mailing list archive but I seem

to recall that there were those who thought the complexity was too high.

Similar to just getting a real SSL certificate (which I'd argue is trival

these days), DANE can be complex to setup if you don't already have DNSSEC

signing going for your zone. I don't believe DNSSEC zone signing is even

univerally supported by DNS hosts.

--

"The avalanche has started, it is too late for the pebbles to vote."

--Kosh

Related

Parent:

Re: Certificate renewal under TOFU? (by tpt <Rajoduo@yahoo.com> on Tue, 21 Jun 2022 09:44:53 +0200)

Start of thread:

Certificate renewal under TOFU? (by danrl <d@x.gl> on Mon, 30 May 2022 03:31:15 -0000 (UTC))

Children:

Re: Certificate renewal under TOFU? (by Gustaf Erikson <gerikson@gmial.com> on Fri, 24 Jun 2022 12:34:52 +0200)