~sircmpwn/gmni-discuss

3 2

Is TOFU always required?

Details
Message ID
<C78CTI3EX8GY.KY8A4KWN4ERY@X200>
DKIM signature
fail
Download raw message
DKIM signature: fail
I setup a Gemini server on gemini://markdain.net which just
mirrors my HTTP site. I setup gmnisrv to use the same Let's
Encrypt certs that nginx uses.

When I access this using gmni, I am prompted to accept (TOFU).
Is this by design? That gmni will not accept a trusted cert?

It seems to me it would make cert rotation a lot less painful
if new certs could be automatically trusted somehow.

If Gemini must use TOFU, can someone share best practices?
Should I make a 10 year cert? How do I do cert or key rotation?
Details
Message ID
<C78CU21JFYBT.2JXANPWO2E8Y@taiga>
In-Reply-To
<C78CTI3EX8GY.KY8A4KWN4ERY@X200> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
gmnisrv handles certificates for you. You don't need to (and should not)
generate anything at all.
Details
Message ID
<C78Y4VBRRAEQ.2Y5THDIOQQBGK@X200>
In-Reply-To
<C78CU21JFYBT.2JXANPWO2E8Y@taiga> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
On Fri Nov 20, 2020 at 7:57 PM GMT, Drew DeVault wrote:
> gmnisrv handles certificates for you. You don't need to (and should not)
> generate anything at all.

Alright, I've changed my site to use gmnisrv's self-signed cert.

Would you accept a patch to change generated certs to be ECDSA
rather than RSA? That would further reduce bandwidth
Details
Message ID
<C78YFHODDHSR.BUQRZ8WD5MFQ@taiga>
In-Reply-To
<C78Y4VBRRAEQ.2Y5THDIOQQBGK@X200> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
On Sat Nov 21, 2020 at 7:38 AM EST, Mark Dain wrote:
> Would you accept a patch to change generated certs to be ECDSA
> rather than RSA? That would further reduce bandwidth

Sure.
Reply to thread Export thread (mbox)