Comments (7)
Not sure what would be a benefit of implementing this
from tls-tris.
I wanted to implement ssh-like authentication, with an authorized hosts file. You can just use self-signed certs without this, which is why no one has implemented it.
from tls-tris.
It would also be super useful for p2p applications. These typically don’t have any CA, but rely on the public key to establish the peer’s identity.
I’m not sure if implementing this RFC is in scope for this repo, but if it is, I’d be very happy to contribute some code to make this happen.
from tls-tris.
I think it could be interesting. Do you have any particular p2p application in mind that would like to use it?
from tls-tris.
We'd like to use that for libp2p, the network stack of IPFS.
The way peer auth works in libp2p is that the key ID is basically the hash of the public key. During the handshake, both peers authenticate each other by checking the pub key hash. For the TLS handshake currently used for QUIC, we generating a self-signed certificate, and retrieve that using ConnectionState
after the handshake completes. It works, but it's a bit of overhead that we could get rid off by using raw public keys.
from tls-tris.
ok, I see. Initially I've thought that it would be possible to use delegated credentials (https://datatracker.ietf.org/doc/html/draft-rescorla-tls-subcerts) which is a bit different solution. Nevertheless, it case of DC the public key changes often (validity is 7 days), so IMHO it's not a right solution for libp2p.
If you would like to propose patch for RFC 7250, feel free to do it. (there is a rule; code without proper tests doesn't exist :)
from tls-tris.
+1
from tls-tris.
Related Issues (20)
- Support for 0-RTT HOT 7
- Server resonds with incorrect error code when client sends empty list of certificates HOT 4
- add a license
- use of internal HOT 2
- Add SM- ciphersuites
- Client certificate has expired on Feb 13, 2019 HOT 1
- Wrong trace, when handshake fails on client side
- testing: one docker for testing is (more than) enough
- Create a standalone tls library that does not require patching the Go standard library HOT 1
- X25519: Check for all zeros value
- BUG: default ciphersSuites for 1.3 HOT 3
- Improve testing HOT 3
- Go 1.12/1.13 compatibility HOT 1
- build: Create debian package during build HOT 3
- Build fail on Arch Linux HOT 2
- Vendoring issues with SIKE and SIDH
- Server does not seem to support season ticket sealer in TLS 1.2
- Rebase on upstream Go crypto/tls
- Check that the library properly builds for all OS
- Add linters and checkers
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tls-tris.