dane and tls

atom.xml

@@ -4,7 +4,7 @@
   <title>tomasino@tilde.team</title>
   <link rel="alternate" href="gemini://tilde.team/~tomasino/"/>
   <link rel="self" href="gemini://tilde.team/~tomasino/atom.xml" />
-  <updated>2021-11-03T21:57:00Z</updated>
+  <updated>2022-02-14T12:37:00Z</updated>
   <id>gemini://tilde.team/~tomasino/</id>
 
   <author>
@@ -12,6 +12,21 @@
     <uri>gemini://tilde.team/~tomasino/about.txt</uri>
   </author>
 
+
+  <entry>
+    <title>DANE and TLS</title>
+    <link href="gemini://tilde.team/~tomasino/journal/20220214-dane-and-tls.gmi"/>
+    <id>gemini://tilde.team/~tomasino/journal/20220214-dane-and-tls.gmi</id>
+    <updated>2022-02-14T12:37:00Z</updated>
+  </entry>
+
+  <entry>
+    <title>Gemini Inputs</title>
+    <link href="gemini://tilde.team/~tomasino/journal/20211227-gemini-input.gmi"/>
+    <id>gemini://tilde.team/~tomasino/journal/20211227-gemini-input.gmi</id>
+    <updated>2021-12-27T16:24:00Z</updated>
+  </entry>
+
   <entry>
     <title>Making Gemini Easy</title>
     <link href="gemini://tilde.team/~tomasino/journal/20211103-making-gemini-easy.gmi"/>

index.gmi

@@ -16,10 +16,10 @@
 ## Recent Journal Entries
 
 => /~tomasino/journal/ All Entries
-=> /~tomasino/journal/20211027-pagekite.gmi 2021-10-27 Pagekite Routing for Gemini
-=> /~tomasino/journal/20211029-cds.gmi 2021-10-29 Re: Compact Discs / Is Obsolete Technology Obsolete?
 => /~tomasino/journal/20211102-freedom.gmi 2021-11-02 Freedom
 => /~tomasino/journal/20211103-making-gemini-easy.gmi 2021-11-03 Making Gemini Easy
+=> /~tomasino/journal/20211227-gemini-input.gmi 2021-12-27 Gemini Inputs
+=> /~tomasino/journal/20220214-dane-and-tls.gmi DANE and TLS
 
 ## Role Playing Games
 

journal/20211227-gemini-input.gmi

@@ -0,0 +1,12 @@
+# Gemini Inputs
+
+I made a video about how to handle input in Gemini. It covers the status code 10 techniques in CGI as well as strategies for using client certificates. You can view the video over on youtube. If you are a Peertube user, you have my permission to duplicate the video to that network. I don't currently have a Peertube account running.
+
+=> https://www.youtube.com/watch?v=9Anh0sNUCY4 Youtube Video on Gemini Inputs
+
+
+Originally Published 2021-12-27 at:
+gemini://tilde.team/~tomasino/journal/20211227-gemini-input.gmi
+
+If you have questions or thoughts to add please send me a link to your response.
+=> /~tomasino/about.txt Contact Information

journal/20220214-dane-and-tls.gmi

@@ -0,0 +1,36 @@
+# DANE and TLS
+
+Last year I wrote a post on gemini about gemini (ICK) musing over ways to improve TOFU trust and lend some extra credibility to TLS usage as an actual protective mechanism and not just security theater. I shared thoughts based on my experience with SSHFP which did something similar. Some recent gemlog content has brought this back top of mind, so I thought it appropriate to expand and follow up on the idea.
+
+=> SSHFP and the TOFU issue /~tomasino/journal/20210331-sshfp-and-the-tofu-issue.gmi
+
+In my ignorance I completely missed the existence of a more appropriate solution than SSHFP: DANE.
+
+> DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC). - Wikipedia
+
+That's right, it's an automated authentication mechanism that binds TLS to DNS via DNSSEC so you can be sure that the server's certificate is valid for that server and not a MITM attack, even with TOFU. It is literally the solution to our exact problem and it is a spec that works in practice today.
+
+Here's a rough outline of how it all flows together:
+* Server owner generates a TLS certificate
+* Server owner also generates the DANE record for that cert (see below for links on how)
+* Server owner wires up DNS with DNSSEC (see your DNS provider for how)
+* Server owner adds DANE record for _1965._tcp.gemini.xxxxxx to match their server usage
+* Client author adds DANE checking to their client code! (Comes up with a cool green lock icon in URL bar that is definitely not lifted from another source)
+* Client checks for DANE record when hitting server and encountering a new cert. If present and matches, automatically approve. If not present, follow user's TOFU preference (Yellow lock icon?)
+* Profit
+
+I know you nerds love IETF documentation, so here you go:
+=> https://www.ietf.org/id/draft-huque-dane-client-cert-07.html IETF DANE Draft
+
+And here's some python showing how to do the verification:
+=> https://github.com/getdnsapi/getdns-python-bindings/blob/master/examples/checkdanecert.py Python TLSA verification
+
+And here's a little guide on how DANE TLSA records can be checked and created for email. Just substitute 1965 instead of 25 and you're golden. This example also uses LetsEncrypt. Normally that's a PITA because people need to keep reapproving your cert every few months, but if we start building DANE checking into our clients that problem goes away.
+=> https://blogs.linux.pizza/deploy-tlsa-records-dane-on-your-email-server-with-lets-encrypt Deploy TLSA Records (DANE) on your Email Server with Let's Encrypt
+
+
+Originally Published 2022-02-14 at:
+gemini://tilde.team/~tomasino/journal/20220214-dane-and-tls.gmi
+
+If you have questions or thoughts to add please send me a link to your response.
+=> /~tomasino/about.txt Contact Information

journal/index.gmi

@@ -22,3 +22,5 @@
 => /~tomasino/journal/20211029-cds.gmi 2021-10-29 Re: Compact Discs / Is Obsolete Technology Obsolete?
 => /~tomasino/journal/20211102-freedom.gmi 2021-11-02 Freedom
 => /~tomasino/journal/20211103-making-gemini-easy.gmi 2021-11-03 Making Gemini Easy
+=> /~tomasino/journal/20211227-gemini-input.gmi 2021-12-27 Gemini Inputs
+=> /~tomasino/journal/20220214-dane-and-tls.gmi DANE and TLS