[gnutls-devel] RFC 7250 and API change

Rick van Rein rick at openfortress.nl
Mon May 2 08:14:09 CEST 2016


Hello Nikos,

Tom and I are working on
https://tools.ietf.org/html/draft-vanrein-tls-kdh-03
which implements Kerberos tickets as you suggested, per RFC 7250.

What we run into is probably a break with the GnuTLS API, and we'd like
to hear
your opinion on this.

The call to gnutls_certificate_type_get() seems to make an implicit
assumption
that the same certificate type is used in both directions, but with RFC 7250
(which we are now adding) there is a possibility that these are different.
Applications of GnuTLS might not be aware of this having been added to
GnuTLS,
and may end up being confused.

We see various ways to deal with this, but none of them is pretty. 
Could you
tell us what your preferred approach would be?

Thanks,
Rick & Tom
ARPA2 TLS-KDH crew






More information about the Gnutls-devel mailing list