Re: "State of the Nat^W Misfin"

In: s/misfin

All self-signed certs are good for is making sure that repeat connections are with the _same_ party. Assuming anything else is not good.

What's in the certificate or in the message is just words that someone types in.

🚀 stack

2025-09-09 · 8 months ago

1 Later Comment

⛄️ gim [OP] · 2025-09-09 at 20:49:

I think I just had bad luck with mentioned public instance.

I looked at estampa misfin server just a few minutes ago, and this one actually gets cert from the host set inside senders cert and uses that to verify senders cert (good/sane).

Still, that functionality should be a requirement, and not an optional feature.

🌒 s/misfin

⛄️ gim:

State of the Nat^W Misfin — I have just learned about something, that I find truly bizarre. Advanced Misfin servers may perform CA validation in addition to TOFU. In this scheme, upon receiving a message from a sender with an unrecognized host, the Misfin server may perform a single blank request to the sender's host, and store its certificate. That stored certificate can then be used to verify the certificates of senders purporting to be from that host. I'm baffled, as why is this is not a...

💬 4 comments · 2025-09-09 · 8 months ago