[spec] Oustanding issues

nervuri nervuri at disroot.org
Sun Jan 10 12:54:34 GMT 2021


Two privacy-related suggestions:


# Only send client certificates over TLS 1.3

TLS 1.3 encrypts client certs, TLS 1.2 doesn't.  On 1.2 your ISP might see the user you log in as, your e-mail address and whatever other information you (are required to) put in the cert.  Please consider only allowing client certificates over TLS 1.3 (and newer).


# No OCSP requests

The spec says:

> Clients can validate TLS connections however they like

As long as CA-based validation is allowed in Gemini, consider adding an exception along the lines of "Thou shalt not make OCSP requests", as they are notoriously bad for privacy, add latency and are easy to block by attackers.


More information about the Gemini mailing list