hobby coder here with a question. When implementing client authentication, do we just store the tls client hash? If so how is this not able to be spoofed? I'm guessing there is some public key authentication going on in the background. looking at the spec and some searches only helped a little.
=> Posted in: s/Gemini
=> đ gritty
2023-05-27 ¡ 2 years ago
=> âī¸ mozz ¡ 2023-05-27 at 03:54:
the certificate is signed -> the certificate cannot be generated without the owner's private key -> the certificate's hash cannot be generated without the owner's private key -> the certificate hash cannot be spoofed
=> đšī¸ skyjake [mod...] ¡ 2023-05-27 at 06:34:
You may be interested in this thread where the same topic came up:
=> đ¤ alexlehm ¡ 2023-05-27 at 08:56:
I had a big problem convincing people on another project that the way client hashes are used are in fact secure (since I asked how to do that in a Java server). In the end it turned out to work quite well, I use that in my chat server
=> đ gritty [OP] ¡ 2023-05-27 at 16:34:
perfect, that's what I thought. thanks everyone!
text/gemini; charset=utf-8This content has been proxied by September (3851b).