help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "known in advance" public key authentication?

From: Nikos Mavrogiannopoulos
Subject: Re: "known in advance" public key authentication?
Date: Wed, 07 Nov 2012 18:52:51 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120805 Icedove/10.0.6 
On 11/07/2012 05:32 PM, Ivan Shmakov wrote:


>  > Alternately (for a bit more flexibility in re-keying, should that
>  > come up, at the cost of extra administrative overhead), the OP could
>  > run their own X.509 or OpenPGP signing authority; then ship that
>  > signing authority with both peers, and use it to sign the
>  > certificates of either peer.
> 
>       To put it short, the application in question uses
>       “self-certified identifiers”; i. e., the public key /is/ the
>       identifier of the peer.  Thus, there doesn't seem to be any
>       reason whatsoever to sign the public keys used, and both X.509
>       and OpenPGP hence become of little use.

Currently you cannot avoid using a container for the public keys, either
X.509 or Openpgp. You may completely ignore it after that and only
compare the raw keys, or their identifiers e.g. with by using one of the
_get_key_id() functions.

regards,
Nikos
reply via email to
[Prev in Thread] Current Thread [Next in Thread]