On Mon, May 19, 2008 at 11:38 PM, Rainer Gerhards <[EMAIL PROTECTED]> wrote: > Hi Simon, > > I am working on both the client and server sides. > > What gives me most problems is the fingerprint authentication. In > essence, each peer has a list of valid (remote peer's) certificate > fingerprints. If the actual cert's fingerprint is in this list, the > remote peer is succesfully authenticated. this is an alternate auth > mode that does not require pki.
Actually this is a hack. As far as I remember there was no standard way to fingerprint a certificate. MD5 was widely used for this but it is broken now. The alternative modes of TLS/SSL that do not require PKI are TLS-SRP (rfc5054) and TLS-PSK (preshared keys - rfc 4279). These are the straightforward ways to use TLS without PKI (certificates). Then it is obvious to everybody how to perform the TLS handshake - if the shared keys do not match it fails. Gnutls supports both of these modes. Please suggest these to the authors of the protocol you're referencing. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
