Updated recommendations regarding TOFU & TLS

Petite Abeille petite.abeille at gmail.com
Thu Mar 4 23:25:52 GMT 2021



> On Mar 5, 2021, at 00:13, Phil Leblanc <philanc at gmail.com> wrote:
> 
> On Thu, Mar 4, 2021 at 11:05 PM Petite Abeille <petite.abeille at gmail.com> wrote:
>> 
>>> so, "Petite Abeille" sounds more positive to me :-)
>> 
>> An apiculturists commune this is not.
> 
> Right. What an amazing thread...

You are not saying :P

> Anyway, thanks to Drew DeVault for his TOFU/TLS recommendations. I am
> not sure any of the 36+ following replies related to it  - but I may
> have missed some :-)

Not really, no. Mostly pests control. Go figure.

That said, I still don't get the TOFU usage model in the context of Gemini... not that I necessarily need to understand it to have a good night sleep, but still... out of curiosity...

In ssh, I know the host, therefore I trust the key. Plus, this happens only every blue moon. No brainer.

Not so in the wild-wild Gemini space.

Infinite number of esoteric, fly-by-night operators.

All harmless for sure, but still.

What's the trust model, if any?

Or is it more like Trust-And-Pray (TAP)?

In which case, why bother? Just ignore all certificates and be merry.

This is what a Little Bee impersonator had to say on GitLab:

Trust on first use (TOFU) is akin to unprotected intercourse: you must trust your partner to keep Gonorrhea at bay.

No trust, no use.

https://gitlab.com/gemini-specification/protocol/-/issues/5#note_522445814

It was not well received, needless to say. 

That much is clear.

±0¢



More information about the Gemini mailing list