[gnutls-devel] GnuTLS | RFC7250 Raw public keys (!650)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Nov 29 10:29:36 CET 2018
Nikos Mavrogiannopoulos commented on a discussion on lib/cert-cred-rawpk.c:
> + * #gnutls_certificate_credentials_t type to be used for authentication
> + * and/or encryption. @subject_public_key_info and @privkey should match
> + * otherwise set signatures cannot be validated. This function should
> + * be called once for the client because there is currently no mechanism
> + * to determine which raw public-key to select for the peer when there
> + * are multiple present. Multiple raw public keys for the server can be
> + * distinghuished by setting the @names.
> + *
> + * Note here that @subject_public_key_info is a raw public-key as defined
> + * in RFC7250. It means that there is no surrounding certificate that
> + * holds the public key and that there is therefore no direct mechanism
> + * to prove the authenticity of this key. The keypair can be used during
> + * a TLS handshake but its authenticity should be established via a
> + * different mechanism (e.g. TOFU or known fingerprint).
> + *
> + * The supported formats are basic unencrypted key, PKCS8, PKCS12,
ok, that could be an optimization to consider in the future. Resolving.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_121004200
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181129/1ace15cd/attachment.html>
More information about the Gnutls-devel
mailing list