On May 20, 10:38 pm, Badra <[EMAIL PROTECTED]> wrote: [snip] > Fingerprint-based is not secure within TLS, not specified anywhere, and it > is an hack.
Well, it actually is (somewhat), right there in the PSK RFC, section 1.1: If the main goal is to avoid Public-Key Infrastructures (PKIs), another possibility worth considering is using self-signed certificates with public key fingerprints. Instead of manually configuring a shared secret in, for instance, some configuration file, a fingerprint (hash) of the other party's public key (or certificate) could be placed there instead. see http://www.ietf.org/rfc/rfc4279.txt > Why don't you use PSK instead? I guess that is why Pasi Eronen (RFC 4279 author) suggested to use fingerprints to the syslog wg ;) Rainer _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
