On Fri, Feb 24, 2023 at 04:27:28PM -0800, Russ Allbery wrote: > > (There is the other problem that all of the effort, hardware support, and > optimization work is going into TLS now, and it feels like a huge waste of > energy to try to compete with TLS in the secure transport business. But > that's a whole different can of worms since TLS is very wedded to X.509 > certificates and there are a bunch of very good reasons to not want to use > X.509 certificates for client authentication in a lot of situations.)
In case you haven't been following, OpenSSL is set to grow TLS raw public key support soon, probably in 3.1 or so: https://github.com/openssl/openssl/pull/18185 I've seen a number of places picking up on TLS with raw public key as an option for secure transport when they don't want to be wedded to X.509 certificates (whether for client or for server). You do have to supply your own authorization layer, then, of course, but you may already have one. -Ben ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
