gemini://git.thebackupbox.net/tlsa/commit/42aff07a74e59ed5c831a4e3b98abe0059c49293

-- Leo's gemini proxy

-- Connecting to git.thebackupbox.net:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini

repo: tlsa
action: commit
revision:
path_from:
revision_from: 42aff07a74e59ed5c831a4e3b98abe0059c49293:
path_to:
revision_to:

git.thebackupbox.net

tlsa

git://git.thebackupbox.net/tlsa

commit 42aff07a74e59ed5c831a4e3b98abe0059c49293
Author: epoch <epoch@thebackupbox.net>
Date:   Wed Aug 31 12:58:27 2022 -0500

    added README with some thoughts and stuff

diff --git a/README b/README
new file mode 100644
index 0000000000000000000000000000000000000000..84186808bf9f9d55db125eee2acff7fdd2c936d5
--- /dev/null
+++ b/README
@@ -0,0 +1,39 @@
+TODO:
+
+[ ] load the TOFU certs
+[ ] remove a lot of stuff?
+[ ] figure out how to get all the needed checks and fallbacks while only making one connection to the server.
+
+what to do if:
+
+   \ DNSSEC |
+TLSA\  good | bad  | gone
+-----+-------------+---------
+good |  a   |  b   |   c
+-----|------+------+--------
+bad  |  d   |  e   |   f
+-----|------+------+--------
+gone |  g   |  h   |   i
+
+
+   DNSSEC | TLSA |
+a: good   | good | best situation. connect happily.
+b: bad    | good | but TLSA is good... reject.
+c: gone   | good | TLSA is present and good. maybe accept but warn?
+d: good   | bad  | TLSA is bad. reject.
+e: bad    | bad  | obviously reject.
+f: gone   | bad  | reject.
+g: good   | gone | accept but warn?
+h: bad    | gone | reject.
+i: gone   | gone | accept because most servers are this way.
+
+so, it looks like...:
+
+if DNSSEC == good and TLSA == good:
+	accept
+
+else if DNSSEC == bad or TLSA == bad:
+	reject
+
+else:
+	warn, but accept

-----END OF PAGE-----

-- Response ended

-- Page fetched on Sun Jun 2 16:40:57 2024