[spec] Certificate trust

colecmac at protonmail.com colecmac at protonmail.com
Mon Mar 1 01:48:02 GMT 2021

> 2) If 1 is invalid, let's (introduce something new here) check if
> DNS doesn't have a TXT field with the certificate fingerprint and
> see if it matches the current one, accept if OK

Unless your computer is using DoH or DoT (or DNSSEC?? Not sure) then your DNS
lookup isn't secure either. If your adversary can sit in between your traffic
and change a capsule's TLS certificate than I don't see why DNS would be very
different. Seems like this just adds complexity but without benefit.


More information about the Gemini mailing list