~sircmpwn/drewdevault.com

8b2c376fd3081d934d33dc2d702dc1e3d21e6107 — Drew DeVault a month ago 6bf4cff
Fix algorithm issues
1 files changed, 5 insertions(+), 5 deletions(-)

M content/blog/Gemini-TOFU.md
M content/blog/Gemini-TOFU.md => content/blog/Gemini-TOFU.md +5 -5
@@ 37,13 37,13 @@ certificate, take the following steps:
   dates against the current time, and check that the hostname is correct
   (including wildcards). Apply any other scrutiny you want, like enforcing a
   good hash algorithm or an upper limit on the expiration date. If these checks
   do not pass, the trust state is INVALID, GOTO 4.
   do not pass, the trust state is INVALID, GOTO 5.
2. Compute the certificate's fingerprint. Use the entire certificate (in OpenSSL
   terms, `X509_digest` will do this), not just the public key.[^1]
3. Look up the known_hosts record for this hostname. If one is found, but the
   record is expired, disregard it. If one is found, and the fingerprint does
   not match, the trust state is UNTRUSTED, GOTO 5. Otherwise, the trust state
   is TRUSTED. GOTO 6.
   is TRUSTED. GOTO 7.
4. The trust state is UNKNOWN. GOTO 5.
5. Display information about the certficate and its trust state to the user, and
   prompt them to choose an action, from the following options:


@@ 53,10 53,10 @@ certificate, take the following steps:
     must manually edit the known_hosts file to correct the issue.
6. Complete the requested action:
   - If ABORT, terminate the request.
   - If TRUST_TEMPORARY, update the session's list of known hosts, then allow
     the request to proceed.
   - If TRUST_TEMPORARY, update the session's list of known hosts.
   - If TRUST_ALWAYS, append a record to the known_hosts file and update the
     session's list of known hosts, then allow the request to proceed.
     session's list of known hosts.
7. Allow the request to proceed.

If the trust state is UNKNOWN, instead of requring user input to proceed, the
implementation MAY proceed with the request IF the UI displays that a new