tomasino
/
gemspace
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

text updates to dane

This commit is contained in:
James Tomasino 2022-02-14 23:55:37 +00:00
parent ba69699998
commit 82f207b6d7
3 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
index.gmi
View File

@ -19,7 +19,7 @@
=> /~tomasino/journal/20211102-freedom.gmi 2021-11-02 Freedom
=> /~tomasino/journal/20211103-making-gemini-easy.gmi 2021-11-03 Making Gemini Easy
=> /~tomasino/journal/20211227-gemini-input.gmi 2021-12-27 Gemini Inputs
=> /~tomasino/journal/20220214-dane-and-tls.gmi DANE and TLS
=> /~tomasino/journal/20220214-dane-and-tls.gmi 2022-02-14 DANE and TLS
## Role Playing Games

6
journal/20220214-dane-and-tls.gmi
View File

@ -2,7 +2,7 @@
Last year I wrote a post on gemini about gemini (ICK) musing over ways to improve TOFU trust and lend some extra credibility to TLS usage as an actual protective mechanism and not just security theater. I shared thoughts based on my experience with SSHFP which did something similar. Some recent gemlog content has brought this back top of mind, so I thought it appropriate to expand and follow up on the idea.
=> SSHFP and the TOFU issue /~tomasino/journal/20210331-sshfp-and-the-tofu-issue.gmi
=> /~tomasino/journal/20210331-sshfp-and-the-tofu-issue.gmi SSHFP and the TOFU issue
In my ignorance I completely missed the existence of a more appropriate solution than SSHFP: DANE.
@ -28,6 +28,10 @@ And here's some python showing how to do the verification:
And here's a little guide on how DANE TLSA records can be checked and created for email. Just substitute 1965 instead of 25 and you're golden. This example also uses LetsEncrypt. Normally that's a PITA because people need to keep reapproving your cert every few months, but if we start building DANE checking into our clients that problem goes away.
=> https://blogs.linux.pizza/deploy-tlsa-records-dane-on-your-email-server-with-lets-encrypt Deploy TLSA Records (DANE) on your Email Server with Let's Encrypt
UPDATE:
I've updated cosmic.voyage with a TLSA/DANE record. If you're looking to build lookup functionality into your client you can feel free to use it for testing.
Originally Published 2022-02-14 at:
gemini://tilde.team/~tomasino/journal/20220214-dane-and-tls.gmi

2
journal/index.gmi
View File

@ -23,4 +23,4 @@
=> /~tomasino/journal/20211102-freedom.gmi 2021-11-02 Freedom
=> /~tomasino/journal/20211103-making-gemini-easy.gmi 2021-11-03 Making Gemini Easy
=> /~tomasino/journal/20211227-gemini-input.gmi 2021-12-27 Gemini Inputs
=> /~tomasino/journal/20220214-dane-and-tls.gmi DANE and TLS
=> /~tomasino/journal/20220214-dane-and-tls.gmi 2022-02-14 DANE and TLS