rfc: verify-ssh

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Jan 28 14:09:26 CET 2012


Hello,
 I've added two new functions gnutls_verify_stored_pubkey() and
gnutls_store_pubkey() [0], that allow for an SSH-style authentication.
That is they allow to trust public keys from certificates associated
with a hostname and a service, based on whether they have been seen before.

This by itself is not really much, but using it in a hybrid model where
certificates are verified using the trusted certificate list _and_ the
known public keys, it would increase security overall, as a compromise
of a CA would not be enough to perform man-in-the-middle.

Comments on the idea and the implementation are welcome.

regards,
Nikos

[0].
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=lib/verify-ssh.c;h=8d6562f705a76ae7f4be4304b433f2aec4191e26;hb=HEAD




More information about the Gnutls-devel mailing list