[noise] certificate chains

Trevor Perrin trevp at trevp.net
Mon Jul 2 07:58:25 PDT 2018


On Mon, Jul 2, 2018 at 11:46 AM, Arvid Picciani <aep at exys.org> wrote:
> thanks trevor,
>
> i'm using  IX now like so:
> again, u is ed25519 pub key, and u(s) is signature over s plus a
> protocol identifier as suggested by travor
>
>        <- u
>        ....
>       -> e, s
>       <- e, ee, se, s, es, u(s)
>       -> u, u(s)

Thanks,

I interpret the additional fields in the 2nd message as being sent in
the handshake payload, and in the 3rd message as being sent in the
first transport payload?

Since client-authentication isn't completed until the 3rd message, I'm
wondering if you could use XX instead?  This would provide better
client identity-hiding, since the client's identity would be encrypted
and only revealed to an authenticated server.


> are there any specs from this group for signature chains?
> i'm making up my own now, but i'd love to read something with the
> quality of the noise spec.

We've talked about that a few times, for example coming up with
something that used protobufs and fit easily into NLS, but haven't
come up with anything.  Probably a few projects have invented their
own lightweight cert format, at this point.

Trevor


More information about the Noise mailing list