[tech] Pre-generated trust stores for various Gemini clients
nervuri at disroot.org
Thu Apr 29 14:50:21 BST 2021
On Wed, 2021-04-28, Anna “CyberTailor” wrote:
>It'd be better an opt-in feature (like HSTS Preload for the web)
>because otherwise capsules, whose owners didn't know about the list,
>may just break.
This would only happen on certificate change, in the same way it would
if you had previously visited the capsule: your client would warn you
that it received a different cert. The chances of that are happening
can be reduced by not bundling short-lived certificates.
I see the certificate's expiry date as a kind of opt-in: if a cert
expires in 100 years, we can assume it's ok to bundle with clients.
It's up to each client developer where to draw the line. I guess it
would depend on release frequency.
Ideally, clients could include the option to refresh the trust store
from a chosen source (thereby providing a way to do out-of-band
verification). This option could be shown to the user on every cert
mismatch warning. The lag between certificate change and trust store
generation is an issue here, but it's better than not having the option
at all. We could eliminate the lag by using a Convergence-like approach
(which I'm working on, but that's a different discussion).
More information about the Gemini