TOFU
<makeworld> It's basically what Bombadillo does. I store the hash of the raw cert, as well as its expiry date. Then for every request, I pass the cert to a function that tries to load the TOFU entry from storage. If it doesn't exist, then the current cert is saved. If the fingerprints match, everything's good. If they don't match, but the expiry date has passed, then the new cert is saved over top of the old one. Otherwise, something malicious has happened
<makeworld> https://pastebin.com/xMsdE5D0
<makeworld> acdw: That's the overview, and the text of my high level function that handles it
<makeworld> It really wasn't that bad to do