On 24/05/18 12:17, Arne Schwabe wrote: > >>> When you sign a certificate you are actually singing the hash of the >>> certificate. So you essentially are saying: "This certificate with the >>> hash xxxyyy is trusted by my CA". Traditionally we used the MD5 of the >>> certificate, then SHA1 and now SHA256 which we signed. (See the weak md5 >>> discussion). >>> >>> The reason that the hash is signed instead of the public is that this >>> way you are also signing the other properties of the certificate (e.g. >>> CN, extensions, etc.). If you can the public key (or any other property >>> of the certificate) also the hash of the certificate changes. >>> >>> If you just have a list of hashes that you trust you just cut out the >>> middle man (the CA) that establishes the trust relationship for you. >>> >>> >> I understand that part - it's how certificate pinning etc work. However, >> for a "regular" TLS connection (or any assymmetric encryprion scheme) >> you normally need a public key and a private key in order to establish a >> connection. However, with certificate pinning all you do is *ADD* an >> extra check, not replace a check. You will need and use both the public >> and the private key to establish security. How is this done in the >> proposed patch? > > Private and public key are still used. The patch stil uses certificates > and TLS, it only replaces the check certificate of the peer's > certificate against the CA with a hash check (certificate pinning if you > want). > > So basically instead of saying that you trust all certificates signed by > a CA, you only trust only those certifcates of which have hashes. A > certificate pinning of an unknown CA is exactly the same. Since you > cannot verify that certificate you add a one off certificate in your > list of trusted certificates.
Correct me if I'm wrong, but this approach allows for self-signed certificates too, right? -- kind regards, David Sommerseth OpenVPN Inc ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
