"known in advance" public key authentication?
Ivan Shmakov
oneingray at gmail.com
Wed Nov 7 17:32:27 CET 2012
>>>>> Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
[…]
> I think the OP may want to avoid calling
> gnutls_certificate_verify_peers2, and write their own function to be
> passed to gnutls_certificate_set_verify_function that just compares
> the certificate received against a local file.
The problem is that I'd need to either pass around an otherwise
superfluous X.509 (private key, certificate) file, or to create
it when a connection is to be established.
> https://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html
> Alternately (for a bit more flexibility in re-keying, should that
> come up, at the cost of extra administrative overhead), the OP could
> run their own X.509 or OpenPGP signing authority; then ship that
> signing authority with both peers, and use it to sign the
> certificates of either peer.
To put it short, the application in question uses
“self-certified identifiers”; i. e., the public key /is/ the
identifier of the peer. Thus, there doesn't seem to be any
reason whatsoever to sign the public keys used, and both X.509
and OpenPGP hence become of little use.
--
FSF associate member #7257
More information about the Gnutls-help
mailing list