Updated recommendations regarding TOFU & TLS

Drew DeVault sir at cmpwn.com
Thu Mar 4 17:36:18 GMT 2021


Re-sending, I forgot to Cc the list. Because I wasn't Cc'd on the reply.

> Um... no offense intended, but if you're not on the list, then why are
> you posting to the list?
>
> Honest question.

It's quite common for someone to write to a mailing list without being
subscribed to it. Please use reply-all if you have more to add.

> No it's not. It happens every eighty something-ish days automatically.
>
> For the forseeable future, Vger will continue to use LetsEncrypt. Easy
> Peasy!

Suit yourself, but this is NOT easy!

Installing extra software, running an HTTP server (or TLS-ALPN) for LE
to query, running a cronjob (and keeping it running!)... there are a
dozen places for error here and it requires a lot of manual setup. Just
because you already did the work doesn't mean that it's easier!

In Gemini, we have the privilege of skipping all of this entirely and
having zero-configuration TLS. The server generates a certificate and it
just works. This is much easier.


More information about the Gemini mailing list