![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Tossing out an idea re: ew0k, "Your Gemini Browser and Server are Probably Doing Certificates Wrong"
There was a geminispace gemlog post we saw recently about certificates describing an issue and we wanted to respond to it. We continue to not be on Geminispace and not be experts in networking anything - our qualifications amount to having seen a YouTube video about Superfish once - so ... yeah, don't go off the fact that we made this suggestion, somebody who knows what they're talking about vet this.
Anyway, we have a metaphor involving four characters - Adrian (who's set up a website), Binny (a computer manufacturer), Cory (a certificate authority), and us (a casual browser) - and two certificates - an old one and a new one.
So, here's the version that takes place on the HTTP web.
We arrive at a new and unfamiliar building in this town we're visiting and there's a certificate taped up in the window saying, "This is Adrian's building, Cory vouches for me". We have no idea who either of these people are, but when we bought a bus ticket from Binny, it came with a tourist guide, and the tourist guide says that Cory's legit and we can trust certificates that Cory vouches for, so we go in.
Some months later, after we've become well acquainted with Adrian's deal and formed a valid impression of this proprietor, we walk up to the building and there's a new certificate in the window. It's still signed by Cory, though, and Binny's tourist guide still vouches for Cory, so we trust this new certificate too. And yeah, it turns out that it still seems to be Adrian in here, so - good! Cool cool.
...and here's the version in Geminispace according to our best understanding of the blog post:
We arrive at a new and unfamiliar building in this town we're visiting and there's a certificate taped up in the window saying, "This is Adrian's building". We have no idea who this is, but we have a notebook, so we write down a copy of the cert that Adrian put up so we can recognize it in the future.
Some months later, after we've become well acquainted with Adrian's deal and formed a valid impression of this proprietor, we walk up to the building and there's a new certificate in the window. We have no idea if it's Adrian's certificate or some con artist pulling a fast one, but we wanna visit Adrian's place, so we kinda just have to write down the new one and hope everything is fine.
So, the problem with this is: Adrian putting up a new certificate is indistiguishable to us, some rando who showed up on a bus last week, from a third party pulling a fast one to scam us. It's not a good scene.
The thing is, though, there are three people we trust in these hypotheticals: we trust Binny because the company is reputable, we trust Cory because Binny's tourist guide says so, and we trust Adrian because we've been following Adrian's site and think it's a good one. And in the HTTP version, we trust Adrian's new certificate because it's signed by Cory. But in the Gemini version, can Adrian just ... sign the new certificate with the old certificate?
Like, think about it. We trust the old certificate, expired or no, because we've been a regular at Adrian's this whole time and the certificate's been the same. So if we see that the old certificate signed the new one, we know there's a continuity - that the same Adrian we've been trusting this whole time validates Adrian's new certificate.
Like I said, our qualifications amount to watching a YouTube video about Superfish once, so we might just be wrong. And we've never done anything with TLS, so we don't know if this is even feasible for Adrian to do. But it feels like a possibility to consider.