-- Leo's gemini proxy
-- Connecting to git.thebackupbox.net:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini
repo: tlsa action: commit revision: path_from: revision_from: 42aff07a74e59ed5c831a4e3b98abe0059c49293: path_to: revision_to:
commit 42aff07a74e59ed5c831a4e3b98abe0059c49293 Author: epoch <epoch@thebackupbox.net> Date: Wed Aug 31 12:58:27 2022 -0500 added README with some thoughts and stuff diff --git a/README b/README new file mode 100644 index 0000000000000000000000000000000000000000..84186808bf9f9d55db125eee2acff7fdd2c936d5 --- /dev/null +++ b/README @@ -0,0 +1,39 @@ +TODO: + +[ ] load the TOFU certs +[ ] remove a lot of stuff? +[ ] figure out how to get all the needed checks and fallbacks while only making one connection to the server. + +what to do if: + + \ DNSSEC | +TLSA\ good | bad | gone +-----+-------------+--------- +good | a | b | c +-----|------+------+-------- +bad | d | e | f +-----|------+------+-------- +gone | g | h | i + + + DNSSEC | TLSA | +a: good | good | best situation. connect happily. +b: bad | good | but TLSA is good... reject. +c: gone | good | TLSA is present and good. maybe accept but warn? +d: good | bad | TLSA is bad. reject. +e: bad | bad | obviously reject. +f: gone | bad | reject. +g: good | gone | accept but warn? +h: bad | gone | reject. +i: gone | gone | accept because most servers are this way. + +so, it looks like...: + +if DNSSEC == good and TLSA == good: + accept + +else if DNSSEC == bad or TLSA == bad: + reject + +else: + warn, but accept
-----END OF PAGE-----
-- Response ended
-- Page fetched on Sun Jun 2 16:40:57 2024