Hi, > > JJK, I think you are misreading this proposal. No hash is being sent > > as a part of the handshake -- its still client and server > > certificates that are exchanged and checked during handshake. The hash > > is exchanged by a separate channel (say snail mail:) in advance, and > > serves the purpose of establishing trust (ie., the prior knowledge of > > hash replaces the prior knowledge of a trusted CA). How the hash is > > exchanged is beyond the scope of openvpn or TLS handshake in this > > case.
Right to the point, Selva. This is the best description of this proposal. > no, I've heard a lot and talked a lot about this proposal before it ended up > on > the list. I do know what the purpose is, it's just that I have serious > doubts > about replacing > ( pub/priv key plus 'trust anchors' such as CA certificates ) by > ( we all trust each other because we know each other's SHA2 hashes ) > There are downsides to a PKI with certificates but I think we're throwing > out > too much of the good stuff by allowing "just a hash" as the basis for > trust. And one of my main concerns is that people keep comparing it to > "that's just like how SSH does it" - *THAT* is simply not true. JJK, I am sorry I brought SSH as an example. I didn't mean "exactly" like SSH. Just, "kind of like" SSH. In this proposal, we leave the TLS handshake to handle public key exchange as usual. No need to modify client<->server communication. The only difference is how server and client verify peer's certificate validity. Normally, they check peer's certificate fields like "Not valid before", "Not valid after", "Issued By" etc. In this proposal, they'd only check peer certificate by its SHA thumbprint - and skip all other standard certificate checks. This would allow you to have a CA-less OpenVPN setup: - Make self-signed certificate on server and each client (with like 100 years validity), - Deploy server certificate hash in client.ovpn, - List acceptable client certificate hashes in server.ovpn (Or use an external script to do the hash lookup) Best regards, Simon
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
