> On Sep 24, 2016, at 9:00 AM, David Levine <[email protected]> wrote: > >> I've been poking around and I see that there is something that MIGHT >> be worthwhile to look at: something called "trust on first use" (TOFU) > > Sounds good to me, I'd use it.
FWIW, this is how Plan 9 (IMAP) does it. On the first connect to a new site the underlying command bails out after printing a fingerprint of the TLS cert. You are expected to verify the cert out-of-band (using other tools the OS provides), and then update a 'trusted certs' file to allow further unfettered access to the site. It works well if you're comfortable with that sort of thing. But even with our relatively savvy user base, it's not going to fly here. And unless you really know what you're doing, it will do worse for your security outlook than running over plaintext. (The biggest issue being it ignores certificate expiration dates.) The mechanics of doing client cert management are well know and relatively straight forward. The big problems are: 1) the coding is tedious, and 2) getting the UI right, in the face of locally-misconfigured-system adversity, takes a lot of work. I'd rather we spent the time getting it right. This sounds like a candidate for a well-focused 1.8 release. Having had to deal with TLS cert management for IMAP/POP/SMTP (and just plain TLS management) at work, once again, for the last couple of years, I have much too much knowledge of what *doesn't* work for end-users :-P --lyndon _______________________________________________ Nmh-workers mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/nmh-workers
