You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, handshake patterns with I and X (key is transmitted as part of the handshake) seem to enforce signatures and a PKI. For example NX:
Noise_NX is a handshake pattern similar to a typical browser ↔ HTTPS server scenario where the client does not authenticate itself and the server authenticates its public key via a signature from an authoritative signing key.
This is not at all the only way of using this handshake patterns. TOFU (trust on first use) or (a whitelist of) key pinning are also possibilities.
How to do it? Your StaticPublicKeyProof() function can return an empty string and your PublicKeyVerifier() can always return true or match public keys against a whitelist.
Furthermore, to obtain the public key received from the connection, one must either use the Disco functions directly (and they are currently not exported) or must use the ListenDisco/AcceptDisco() functions that return a libdisco.Conn instead of a net.Conn; giving access to extra functions like RemotePublicKey().
I am also trying to think of a way a net.Conn could be used to retrieve that public key. The problem is that its interface is limited to modifying its RemoteAddr() function (which is supposed to return the ip:port tuple of the peer). Perhaps, a flag in the configuration of Disco could tweak this to return a publickey:ip:port tuple instead?
The text was updated successfully, but these errors were encountered:
Currently, handshake patterns with
IandX(key is transmitted as part of the handshake) seem to enforce signatures and a PKI. For example NX:This is not at all the only way of using this handshake patterns. TOFU (trust on first use) or (a whitelist of) key pinning are also possibilities.
How to do it? Your
StaticPublicKeyProof()function can return an empty string and yourPublicKeyVerifier()can always returntrueor match public keys against a whitelist.Furthermore, to obtain the public key received from the connection, one must either use the Disco functions directly (and they are currently not exported) or must use the ListenDisco/AcceptDisco() functions that return a
libdisco.Conninstead of anet.Conn; giving access to extra functions like RemotePublicKey().I am also trying to think of a way a net.Conn could be used to retrieve that public key. The problem is that its interface is limited to modifying its
RemoteAddr()function (which is supposed to return theip:porttuple of the peer). Perhaps, a flag in the configuration of Disco could tweak this to return apublickey:ip:porttuple instead?The text was updated successfully, but these errors were encountered: