"known in advance" public key authentication?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Nov 7 18:11:14 CET 2012


On 11/07/2012 11:32 AM, Ivan Shmakov wrote:
> 	To put it short, the application in question uses
> 	“self-certified identifiers”; i. e., the public key /is/ the
> 	identifier of the peer.  Thus, there doesn't seem to be any
> 	reason whatsoever to sign the public keys used, and both X.509
> 	and OpenPGP hence become of little use.

yes, understood.  Given the ubiquity of these certificate formats, the
simplest thing for you to do with your application is to treat the
certificate format as a (bulky, overcomplicated) container format for
your public key material.

Self-signed certificates (or even un-signed certificates with a bogus
signing mechanism) are perfectly capable of transporting public key
material.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121107/9303d4d0/attachment.pgp>


More information about the Gnutls-help mailing list