Astrobotany - Client Certificate Stats

Published 2021-01-06

Preamble

Here's some stats on the client certificates that have registered via astrobotany. I'm dumping this information here in hopes that it might be useful to future spec discussions.

CA Authenticated Certificates

Astrobotany didn't originally use TOFU for client authentication. When I first launched the capsule, I had setup a local CA and asked users to send me CSRs (Certificate Signing Requests) over an HTTP POST request, which I then signed and sent back. This is still documented on the old help page.

Astrobotany Beta Release Announcement (2020-04-14)

Astrobotany Registration Guide (old CSR method)

This was live for most of May 2019. In the first month I had an astounding 15 users register using this method! 🏆 It still has a soft spot in my heart.

TOFU Certificates

Shortly after launching Astrobotany I was convinced by the mailing list to switch to a TOFU scheme for client certificates. The main advantage was that everything could be done over gemini:// without the client needing to submit anything to the server. Nice! It ended up taking me a while to implement because it required a complete rewrite of my jetforce server to subvert python+OpenSSL issues.

My gemlog post about TOFU client certificates (2020-05-06)

Jetforce v0.3.0 Release Announcement (the rewrite) (2020-05-31)

After the new version of jetforce was released and the instructions were updated, from June to August there were around 100 registrations using the new TOFU method. Unfortunately, all that I had saved during this period was the certificate fingerprint itself. In August, I wised up and also started recording some additional information for each registered certificate.

The certificate subject (via rfc4514_string())
The not valid before date
The not valid after date

Since then, I have collected 200 more certificates with the subject and validity dates recorded.

Observations

I won't share the individual certificate subjects for privacy reasons, but here are some ballpark stats:

~60% of certs only define a CN attribute
~20% of certs also include an email address
~5% of certs don't define CN but do set other attributes
There was only one cert with a completely empty subject

Perhaps more interesting than the subject is the expiration date. Around half of the client certificates that I have recoded were created with a validity period of exactly one year. These certs are going to start expiring in 2021. Then what? Should be start locking users out of their accounts?

Clearly the answer is no 😅. I won't ever attempt to validate client certificates besides matching the fingerprint.

Anyways.. here's the raw data

astrobotany certificate dump (csv formatted)