[gnutls-devel] GnuTLS | WIP: RFC7250 Raw public keys (!650)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sun Sep 16 19:21:51 CEST 2018


Tom commented on a discussion on doc/cha-gtls-app.texi:

>  (i.e. different for the client than for the server).
>  
>  Currently supported types are:
> -CTYPE-X509 or CTYPE-X.509. Catch all is CTYPE-ALL.
> +CTYPE-X509 or CTYPE-X.509, CTYPE-RAWPK or CTYPE-RAWPUBKEY. Catch all is CTYPE-ALL.

If we are going to support raw public-keys then we have different certificate credential types. A user must therefore be able to set a preference for which credentials should be chosen first during the negotiation in the handshake. A server administrator could for example set both a X509 certificate credential and raw public-key. Depending on what a client is willing to accept (this can be negotiated via our new cert type extensions) the server presents either one of its credentials. But if a client accepts for example both a regular x509 certificate as well as a raw public-key then you should be able to specify an order of preference. That is where the priority strings come in. The same holds for the client in case of a client certificate request. 

So just as we are able to specify a priority order of the available ciphers and other cryptographic params, we also want to be able to specify an order of preferred (certificate) credentials types. Previously, pgp was also an option in this list. If you will accept my tls-kdh patch (which will be next in line ;-)) then we get another certificate type (representing a kerberos ticket).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/650#note_101688743
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180916/bdb38450/attachment.html>


More information about the Gnutls-devel mailing list