Re: "known in advance" public key authentication?

[Florian Weimer]

* Ivan Shmakov:

>       Hence, the question is: is there a way to specify the local key
>       pair and the remote public key to GnuTLS “directly”, just prior
>       to connecting the remote?

I recommend to use self-signed X.509 certificates, this way you can
port your software to other crypto libraries.  It is possible to
override the certificate verification function and replace the
PKI-based verificiation with something that performs a database
lookup, for instance.  You can use the subject DN or a hash to look up
the certificate in the database, and perform a bit-wise comparison
between the peer certificate and what is found in the database.

Make sure your certificates are valid X.509v3.  GNUTLS is extremely
forgiving, and if you've got a widely deployed certificate which
cannot be used with Java (for instance), this can be annoying.