What does this accomplish you can’t just basically do with
—client-cert-not-required?
Eric Crist
> On May 25, 2018, at 3:56 PM, Simon Rozman <si...@rozman.si> wrote:
>
> Hi,
>
>>> JJK, I think you are misreading this proposal. No hash is being sent
>>> as a part of the handshake -- its still client and server
>>> certificates that are exchanged and checked during handshake. The hash
>>> is exchanged by a separate channel (say snail mail:) in advance, and
>>> serves the purpose of establishing trust (ie., the prior knowledge of
>>> hash replaces the prior knowledge of a trusted CA). How the hash is
>>> exchanged is beyond the scope of openvpn or TLS handshake in this
>>> case.
>
> Right to the point, Selva. This is the best description of this proposal.
>
>> no, I've heard a lot and talked a lot about this proposal before it ended up
>> on
>> the list. I do know what the purpose is, it's just that I have serious
>> doubts
>> about replacing
>> ( pub/priv key plus 'trust anchors' such as CA certificates ) by
>> ( we all trust each other because we know each other's SHA2 hashes )
>> There are downsides to a PKI with certificates but I think we're throwing
>> out
>> too much of the good stuff by allowing "just a hash" as the basis for
>> trust. And one of my main concerns is that people keep comparing it to
>> "that's just like how SSH does it" - *THAT* is simply not true.
>
> JJK, I am sorry I brought SSH as an example. I didn't mean "exactly" like
> SSH.
> Just, "kind of like" SSH.
>
> In this proposal, we leave the TLS handshake to handle public key exchange as
> usual. No need to modify client<->server communication.
> The only difference is how server and client verify peer's certificate
> validity. Normally, they check peer's certificate fields like "Not valid
> before", "Not valid after", "Issued By" etc. In this proposal, they'd only
> check peer certificate by its SHA thumbprint - and skip all other standard
> certificate checks.
>
> This would allow you to have a CA-less OpenVPN setup:
> - Make self-signed certificate on server and each client (with like 100 years
> validity),
> - Deploy server certificate hash in client.ovpn,
> - List acceptable client certificate hashes in server.ovpn (Or use an
> external
> script to do the hash lookup)
>
> Best regards,
> Simon
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
