>> When you sign a certificate you are actually singing the hash of the >> certificate. So you essentially are saying: "This certificate with the >> hash xxxyyy is trusted by my CA". Traditionally we used the MD5 of the >> certificate, then SHA1 and now SHA256 which we signed. (See the weak md5 >> discussion). >> >> The reason that the hash is signed instead of the public is that this >> way you are also signing the other properties of the certificate (e.g. >> CN, extensions, etc.). If you can the public key (or any other property >> of the certificate) also the hash of the certificate changes. >> >> If you just have a list of hashes that you trust you just cut out the >> middle man (the CA) that establishes the trust relationship for you. >> >> > I understand that part - it's how certificate pinning etc work. However, > for a "regular" TLS connection (or any assymmetric encryprion scheme) > you normally need a public key and a private key in order to establish a > connection. However, with certificate pinning all you do is *ADD* an > extra check, not replace a check. You will need and use both the public > and the private key to establish security. How is this done in the > proposed patch?
Private and public key are still used. The patch stil uses certificates and TLS, it only replaces the check certificate of the peer's certificate against the CA with a hash check (certificate pinning if you want). So basically instead of saying that you trust all certificates signed by a CA, you only trust only those certifcates of which have hashes. A certificate pinning of an unknown CA is exactly the same. Since you cannot verify that certificate you add a one off certificate in your list of trusted certificates. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
