Conversation
Notices
-
if there’s no CA for Gemini’s TLS, how can one ensure there’s not MITM?
like when the certificate is renewed
-
@Moon @duponin shouldn't that be part of DNS? like with DKIM
-
@methyltheobromine @duponin I'm okay with TOFU on Gemini because you probably don't need high security on Gemini and I think the scary self-signed warning on normal web is bad. But man we really need a replacement for the CA system. I read a thing years ago where Jamie Zawinski admitted the system wasn't even well thought out it was just a quick thing they did in Netscape to get around having no possible good way to do it.
-
@methyltheobromine @duponin trust on first use is not worse than a plain unencrypted website or self signed, you shouldn't trust CAs anyway. it's not ideal but it's not really worse and in some ways it's better
-
@Moon @duponin trust on first use is not much better than unencrypted. you can't even tell if a certificate was simply renewed, or if you're being MITM'd. and while CAs aren't ideal, they do a better job at ensuring authenticity than just having no mechanism for that at all. ideal would be kinda what tor does so a CA wouldn't be necessary
-
@duponin I asked this and was told "doesn't matter"
-
@methyltheobromine @duponin you can mitm dns so you'd have to sign your root zone with dnssec and you're back to having a central authority and both the problems of trusting them and getting their pubkey somehow
HW Y2K-CHECKED FUNGUS
:blobcatflower:
Moon
All 076萌SNS content and data are available under the