On May 23, 8:34 am, Rainer Gerhards <[EMAIL PROTECTED]> wrote: > On May 20, 10:38 pm, Badra <[EMAIL PROTECTED]> wrote: > [snip] > > > Fingerprint-based is not secure within TLS, not specified anywhere, and it > > is an hack. > > Well, it actually is (somewhat), right there in the PSK RFC, section > 1.1: > > If the main goal is to avoid Public-Key Infrastructures (PKIs), > another possibility worth considering is using self-signed > certificates with public key fingerprints. Instead of manually > configuring a shared secret in, for instance, some configuration > file, a fingerprint (hash) of the other party's public key (or > certificate) could be placed there instead. > > seehttp://www.ietf.org/rfc/rfc4279.txt > > > Why don't you use PSK instead? > > I guess that is why Pasi Eronen (RFC 4279 author) suggested to use > fingerprints to the syslog wg ;)
I forgot to mention: guessing is good, verifying is better. I'll bring up this question on the syslog WG mailing list. Rainer _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
