[spec] Oustanding issues

Petite Abeille petite.abeille at gmail.com
Tue Jan 5 23:40:25 GMT 2021



> On Jan 5, 2021, at 21:17, Gary Johnson <lambdatronic at disroot.org> wrote:
> 
> 1. What are the valid/invalid/recommended values for CN, SAN, and
>   expiration dates in certificates in the context of TOFU?

TOFU, as practiced by ssh & co., is about key exchange. One accepts a key, from a given host. There is no notion of "certificates", much less X.509 certificates, just a host+key pair.

Certificates should be entirely ignored as far as TOFU goes. And only viewed as a way to transfer the key. An envelope for the key, due to TLS.

Trying to merge the semantic of the X.509 certificates PKI and TOFU is not TOFU anymore. SEITAN perhaps. An entirely different construct for sure.

℀ ±𝟤¢



More information about the Gemini mailing list