[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "known in advance" public key authentication?
From: |
Daniel Kahn Gillmor |
Subject: |
Re: "known in advance" public key authentication? |
Date: |
Wed, 07 Nov 2012 10:47:29 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:10.0.10) Gecko/20121028 Icedove/10.0.10 |
On 11/07/2012 10:06 AM, Graham Murray wrote:
> On Wed, 2012-11-07 at 14:33 +0000, Ivan Shmakov wrote:
>> For my application, I need to establish a secure communication
>> between two peers, and as it seems, TLS is a perfect fit for
>> that.
>>
>> A feature of this application is that the public keys of the
>> peers are effectively “known in advance”, so, while self-signed
>> (unsigned?) X.509 certificates (or some OpenPGP ones) could be
>> employed, there's no practical benefit from CC/WoT verification.
>>
>> Hence, the question is: is there a way to specify the local key
>> pair and the remote public key to GnuTLS “directly”, just prior
>> to connecting the remote?
>
> Would PSK not do what you want?
PSK is not public key authentication, since the keys are shared.
I think the OP may want to avoid calling
gnutls_certificate_verify_peers2, and write their own function to be
passed to gnutls_certificate_set_verify_function that just compares the
certificate received against a local file.
https://www.gnu.org/software/gnutls/manual/html_node/Certificate-credentials.html
Alternately (for a bit more flexibility in re-keying, should that come
up, at the cost of extra administrative overhead), the OP could run
their own X.509 or OpenPGP signing authority; then ship that signing
authority with both peers, and use it to sign the certificates of either
peer.
--dkg
signature.asc
Description: OpenPGP digital signature
- "known in advance" public key authentication?, Ivan Shmakov, 2012/11/07
- Re: "known in advance" public key authentication?, Graham Murray, 2012/11/07
- Re: "known in advance" public key authentication?,
Daniel Kahn Gillmor <=
- Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/07
- Re: "known in advance" public key authentication?, Daniel Kahn Gillmor, 2012/11/07
- Re: "known in advance" public key authentication?, Nikos Mavrogiannopoulos, 2012/11/07
- Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/11
- Re: "known in advance" public key authentication?, Nikos Mavrogiannopoulos, 2012/11/13
- Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/13
- Re: "known in advance" public key authentication?, Nikos Mavrogiannopoulos, 2012/11/14
- Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/19
Re: "known in advance" public key authentication?, Ivan Shmakov, 2012/11/07
Re: "known in advance" public key authentication?, Ilari Liusvaara, 2012/11/07