Open
Description
This would solve a lot of problems with TOFU, enhance security and permit easy certificate changes. It should be of course completely optional and fall back to TOFU if no signed TLSA record is found.
A TLSA DANE record is easy to implement by the server DNS admin, if the DNS registrar supports automatic DNSSEC signing (e.g. ovh.com does).
James Tomasino has written a proof of concept client in rust, which is buggy, but I'm sure he'll fix it: https://github.com/jamestomasino/gemini-rust-tlsa
It would be good if such a popular Gemini browser would support this, so others can follow.
Metadata
Metadata
Assignees
Labels
No labels