"known in advance" public key authentication?
oneingray at gmail.com
Wed Nov 7 17:32:27 CET 2012
>>>>> Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> I think the OP may want to avoid calling
> gnutls_certificate_verify_peers2, and write their own function to be
> passed to gnutls_certificate_set_verify_function that just compares
> the certificate received against a local file.
The problem is that I'd need to either pass around an otherwise
superfluous X.509 (private key, certificate) file, or to create
it when a connection is to be established.
> Alternately (for a bit more flexibility in re-keying, should that
> come up, at the cost of extra administrative overhead), the OP could
> run their own X.509 or OpenPGP signing authority; then ship that
> signing authority with both peers, and use it to sign the
> certificates of either peer.
To put it short, the application in question uses
“self-certified identifiers”; i. e., the public key /is/ the
identifier of the peer. Thus, there doesn't seem to be any
reason whatsoever to sign the public keys used, and both X.509
and OpenPGP hence become of little use.
FSF associate member #7257
More information about the Gnutls-help