"known in advance" public key authentication?
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Nov 7 18:52:51 CET 2012
On 11/07/2012 05:32 PM, Ivan Shmakov wrote:
> > Alternately (for a bit more flexibility in re-keying, should that
> > come up, at the cost of extra administrative overhead), the OP could
> > run their own X.509 or OpenPGP signing authority; then ship that
> > signing authority with both peers, and use it to sign the
> > certificates of either peer.
>
> To put it short, the application in question uses
> “self-certified identifiers”; i. e., the public key /is/ the
> identifier of the peer. Thus, there doesn't seem to be any
> reason whatsoever to sign the public keys used, and both X.509
> and OpenPGP hence become of little use.
Currently you cannot avoid using a container for the public keys, either
X.509 or Openpgp. You may completely ignore it after that and only
compare the raw keys, or their identifiers e.g. with by using one of the
_get_key_id() functions.
regards,
Nikos
More information about the Gnutls-help
mailing list