[spec] Oustanding issues
nervuri at disroot.org
Sun Jan 10 12:54:34 GMT 2021
Two privacy-related suggestions:
# Only send client certificates over TLS 1.3
TLS 1.3 encrypts client certs, TLS 1.2 doesn't. On 1.2 your ISP might see the user you log in as, your e-mail address and whatever other information you (are required to) put in the cert. Please consider only allowing client certificates over TLS 1.3 (and newer).
# No OCSP requests
The spec says:
> Clients can validate TLS connections however they like
As long as CA-based validation is allowed in Gemini, consider adding an exception along the lines of "Thou shalt not make OCSP requests", as they are notoriously bad for privacy, add latency and are easy to block by attackers.
More information about the Gemini