<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=RU link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>A gentle reminder that VirgilSecurity actively works on integrating custom PKI (not certificate based) into NoiseSocket and even has a sample for it. https://github.com/go-noisesocket/noisesocket/tree/master/virgil<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>I haven’t touched it in a while, could be outdated but If you guys are interested in doing something similar just drop me a message.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><br>Cheers!<br>Alex<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b>From:</b> Noise <noise-bounces@moderncrypto.org> <b>On Behalf Of </b>Trevor Perrin<br><b>Sent:</b> Tuesday, May 1, 2018 9:48 PM<br><b>To:</b> Nadim Kobeissi <nadim@symbolic.software><br><b>Cc:</b> noise <noise@moderncrypto.org><br><b>Subject:</b> Re: [noise] Regarding Static Key Authentication<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>The Noise spec has some text about this:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>"""<o:p></o:p></p></div><div><p class=MsoNormal>Authentication: A Noise protocol with static public keys verifies that the corresponding private keys are possessed by the participant(s), but it's up to the application to determine whether the remote party's static public key is acceptable. Methods for doing so include certificates which sign the public key (and which may be passed in handshake payloads), preconfigured lists of public keys, or "pinning" / "key-continuity" approaches where parties remember public keys they encounter and check whether the same party presents the same public key in the future.<o:p></o:p></p></div><div><p class=MsoNormal>"""<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Trevor<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, May 1, 2018 at 1:01 PM, Nadim Kobeissi <<a href="mailto:nadim@symbolic.software" target="_blank">nadim@symbolic.software</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal>Thank you, everyone!<br><br clear=all><o:p></o:p></p><div><div><div><div><p class=MsoNormal>Nadim Kobeissi<o:p></o:p></p><div><p class=MsoNormal>Symbolic Software <span style='font-size:12.0pt;color:#545454'>• <a href="https://symbolic.software" target="_blank">https://symbolic.software</a></span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:#545454'>Sent from office</span><o:p></o:p></p></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><div><div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Tue, May 1, 2018 at 2:50 PM Marian Beermann <<a href="mailto:public@enkore.de" target="_blank">public@enkore.de</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal style='margin-bottom:12.0pt'>Hi Nadim,<br><br>yes, if the intention is to have an AKE (authenticated key exchange),<br>then the peer's static key needs to be authenticated in one way or<br>another. Noise does not provide an out-of-the-box way to do that.<br><br>-Marian<br><br>On 01.05.2018 14:31, Nadim Kobeissi wrote:<br>> Dear David,<br>> So, the conclusion is that any `s` appearing in either a pre-message or<br>> message pattern, is assumed to be authenticated out-of-band, as in<br>> independently of the Noise handshake, by the recipient party?<br>> <br>> Thank you,<br>> <br>> Nadim Kobeissi<br>> Symbolic Software • <a href="https://symbolic.software" target="_blank">https://symbolic.software</a><br>> Sent from office<br>> <br>> <br>> On Tue, May 1, 2018 at 2:10 PM David Wong <<a href="mailto:davidwong.crypto@gmail.com" target="_blank">davidwong.crypto@gmail.com</a><br>> <mailto:<a href="mailto:davidwong.crypto@gmail.com" target="_blank">davidwong.crypto@gmail.com</a>>> wrote:<br>> <br>> > If a token 's' appears in a Noise handshake pattern pre-message<br>> flight, it<br>> > is reasonable for us to assume that this key represented by 's' was<br>> > pre-authenticated by the parties. That is, if the initiator sent<br>> 's' in a<br>> > pre-message, then the responder is assumed to have authenticated<br>> 's' already<br>> > out of band, using for example a QR code as is the current<br>> use-case, for<br>> > example, in the Signal secure messenger.<br>> <br>> I don't think this is a good comparison. Signal allows you to<br>> post-handshake authenticate the session whereas a pre-message `s`<br>> means that you have pinned `s` and thus you trust the session from the<br>> start.<br>> <br>> `s` in a message pattern implies that you have a way to ensure that<br>> you know that `s`. This can be done in different ways:<br>> <br>> * out of band post-handshake (like Signal)<br>> * by having the sender also send a signature from some authority that<br>> you trust (PKI)<br>> * by recognizing the cert from a trust store<br>> * ...?<br>> <br>> Hope that helps,<br>> David<br>> <br>> <br>> <br>> _______________________________________________<br>> Noise mailing list<br>> <a href="mailto:Noise@moderncrypto.org" target="_blank">Noise@moderncrypto.org</a><br>> <a href="https://moderncrypto.org/mailman/listinfo/noise" target="_blank">https://moderncrypto.org/mailman/listinfo/noise</a><br>> <o:p></o:p></p></blockquote></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Noise mailing list<br><a href="mailto:Noise@moderncrypto.org">Noise@moderncrypto.org</a><br><a href="https://moderncrypto.org/mailman/listinfo/noise" target="_blank">https://moderncrypto.org/mailman/listinfo/noise</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>