"known in advance" public key authentication?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Nov 7 16:47:29 CET 2012

On 11/07/2012 10:06 AM, Graham Murray wrote:
> On Wed, 2012-11-07 at 14:33 +0000, Ivan Shmakov wrote:
>> 	For my application, I need to establish a secure communication
>> 	between two peers, and as it seems, TLS is a perfect fit for
>> 	that.
>> 	A feature of this application is that the public keys of the
>> 	peers are effectively “known in advance”, so, while self-signed
>> 	(unsigned?) X.509 certificates (or some OpenPGP ones) could be
>> 	employed, there's no practical benefit from CC/WoT verification.
>> 	Hence, the question is: is there a way to specify the local key
>> 	pair and the remote public key to GnuTLS “directly”, just prior
>> 	to connecting the remote?
> Would PSK not do what you want?

PSK is not public key authentication, since the keys are shared.

I think the OP may want to avoid calling
gnutls_certificate_verify_peers2, and write their own function to be
passed to gnutls_certificate_set_verify_function that just compares the
certificate received against a local file.


Alternately (for a bit more flexibility in re-keying, should that come
up, at the cost of extra administrative overhead), the OP could run
their own X.509 or OpenPGP signing authority; then ship that signing
authority with both peers, and use it to sign the certificates of either


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20121107/8b5f4879/attachment.pgp>

More information about the Gnutls-help mailing list