rfc: verify-ssh

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jan 28 14:09:26 CET 2012

 I've added two new functions gnutls_verify_stored_pubkey() and
gnutls_store_pubkey() [0], that allow for an SSH-style authentication.
That is they allow to trust public keys from certificates associated
with a hostname and a service, based on whether they have been seen before.

This by itself is not really much, but using it in a hybrid model where
certificates are verified using the trusted certificate list _and_ the
known public keys, it would increase security overall, as a compromise
of a CA would not be enough to perform man-in-the-middle.

Comments on the idea and the implementation are welcome.



More information about the Gnutls-devel mailing list