"known in advance" public key authentication?

Ivan Shmakov oneingray at gmail.com
Wed Nov 7 17:32:27 CET 2012

>>>>> Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:


 > I think the OP may want to avoid calling
 > gnutls_certificate_verify_peers2, and write their own function to be
 > passed to gnutls_certificate_set_verify_function that just compares
 > the certificate received against a local file.

	The problem is that I'd need to either pass around an otherwise
	superfluous X.509 (private key, certificate) file, or to create
	it when a connection is to be established.

 > https://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html

 > Alternately (for a bit more flexibility in re-keying, should that
 > come up, at the cost of extra administrative overhead), the OP could
 > run their own X.509 or OpenPGP signing authority; then ship that
 > signing authority with both peers, and use it to sign the
 > certificates of either peer.

	To put it short, the application in question uses
	“self-certified identifiers”; i. e., the public key /is/ the
	identifier of the peer.  Thus, there doesn't seem to be any
	reason whatsoever to sign the public keys used, and both X.509
	and OpenPGP hence become of little use.

FSF associate member #7257

More information about the Gnutls-help mailing list