Re: "Superseding X.509 certificates"
In: u/zzo38
Is your requirement the easy replacement of a TOFU certificate? Which one (client or server)?
Did you ask your favourite AI about "methods for replacing TOFU certificates" and "the dangers of home brew PKI schemes"? Then: did you evaluate existing methods?
It is of course doable (the Gemini protocol itself is an example), but the bar is quite high.
🦋 CarloMonte
2024-11-05 · 2 years ago
🦂 zzo38 [OP] · 2024-11-05 at 20:11:
This could be used with both server certificates and client certificates (it is also independent of the protocol). I did not ask any AI (I do not have access to them). I did look for existing methods, and they do not seem sufficient, to me.
There is another thing that I had also considered, which is separate and not a part of this (but can be used together), to implement something like "web of trust" using a separate file, to allow anyone to sign someone's certificates and include details (e.g. which extensions are understood, levels of trust, etc). I think this separate thing is a different issue, so is handled separately.
Original Post
🦂 zzo38
Superseding X.509 certificates — I had a idea of a X.509 extension for superseding self-signed X.509 certificates, so that it can be used with TOFU (including with Gemini). There are many reasons why you might want to change a certificate, including because the old one will expire soon, or because your name or country has changed, or if you wish to change an extension, or use a better type of key or signature than you had before. Currently, the extension contains: An optional public key which...
💬 2 comments · 1 like · 2024-11-05 · 2 years ago