Gemini, encryption and decentralised PKI

The main reason Gemini requires encryption is for authentication. There might not be much commercial "content", if any, on Gemini, but there's certainly material that people would like to share online, but only with a small, trusted group. Gemini's built-in authentication mechanism is client-side TLS certificates.

The Gemini server software I maintain, blizanci, supports Titan uploads with TLS certificate -based authentication of clients. Unless a certificate is self-signed, it contains two different names: the subject whose certificate it is, and the issuer who signed it, which might be a so-called Certificate Authority. Blizanci can do authorisation on a per-directory basis, with a directory having its own list of permitted certificate authorities. A self-signed certificate is effectively its *own* certificate authority, so if you want part of your capsule to be limited just to certain individuals, you just need to give blizanci a list of PEM files, either of their own self-signed certs, and/or of the certificate authority which signed their certs.

This decouples the management of users from Gemini capsule administration, albeit the tooling for running your own certificate authority could be improved. But it's also a rather different model from how Public Key Infrastructure is normally done as it's decentralised: each capsule picks and chooses which certificate authorities it's going to respect, rather than there being a global, hierarchical list of CAs imposed by browser vendors. So for small communities layering their private wikis and gemlogs over Gemini and Titan, there's now a way for groups of capsules to coordinate on which users to allow in.

The fact that Titan makes this all birectional opens up interesting possibilities for what sort of discussion and information sharing platforms could be brought into Gemini space for small communities.

Blizanci Github page