Midnight Pub

have you seen DANE?

~samo

Running down the alley towards the pub. I have just half hour, before a meeting starts and want a little shot of coffee... When turning from the Main Street i could smell weed in the air, seconds later i could hear clonking of the grafitiy spray. The person had a hoodie on, but im almost sure it was she12 making another add-on for the small alley. I bump in through the door. The pub is full, but calm. I take a seat at the counter.

~bartender, a ristretto inverted, and if i may pay right away.

While he does the magic, a question arises:

Have you seen DANE around here? Is it usefull on gemini, is it used in the pub?

DANE of the security features
What is DANE?
I recieve a little cup and pay. I have another look around the pub, but i know Dane is not sitting anywhere... If being here, he would be probably standing at the door. The potion smells delicious. I have another long sniff, empty the content. Then up and to the meeting...

tracker

Tracker watches as the new patron asks a question to the crowd, hurriedly downs his drink, and rushes out the door.

After thinking for a few moments, he gets up and walks over to the bar, asking for a bit of paper and a pencil from the ~bartender. He scribbles a note on it and hands it back, asking him to pass it on to ~samo next time he comes back through the pub.

The note reads:

"All Gemini requests are TLS-encrypted, and authentication (both by servers and clients) is done using X.509 certificates. Unlike HTTPS, Gemini clients don't expect to authenticate server certificates via a CA-issued certificate chain. Instead, much like SSH, they use TOFU (Trust On First Use) authentication. This allows Gemini servers to either use CA-issued certs or (more commonly) just use self-signed certs. The biggest weakness in this security model is, of course, that if you experience a man-in-the-middle attack on your first visit to a new capsule, you'd never know. TOFU only protects you against sudden unexpected changes in the server certificate AFTER your first visit to the capsule. If I understand DANE correctly, it provides a mechanism for clients to authenticate a server certificate by checking its fingerprint against one that is co-published over DNS. That sounds like a clever, decentralized solution to TOFU's main weakness. I'm not aware of whether any Gemini clients support DANE yet though. If you know of any, please let me know. FYI, it looks like DANE is referenced as a potential added security option on top of TOFU in the official Gemini FAQ. Best of luck, and happy hacking!"

Official Gemini FAQ (see sections 4.5.5 and 4.5.6 for DANE references)
reply

samo

Good thoughts. And thanks for pointing out the sections in Gemini FAQ... The document is thorough... Still i am not able to comprehend all of the written things. But layers are unfolding and the concepts are crystalizing. I am new in this thing... How is it called?

Building virtual ecosystems

Have just set up a machine with Debian12 and made it remotely accessible. Im trying to set up a server for gemini among other things. Now the fresh computer has already several folders of nonfunctional software installed. No files are being served. Yet. Ill have another try later. And ill try the space-age. Its the one you have written?

~bartender two beers from the tap, and if anyone... next round is on me.
reply

tracker

That's right. I wrote space-age.

Just as a reminder, if you wanted to implement DANE, you would need to do that on the client side.

Happy hacking!

reply

samo

About implementing stuff like DANE... no. i am not there yet.

But, i got the gemini server running. and i am getting some taste of the remote computing.

reply