51 lines
1.3 KiB
Text
51 lines
1.3 KiB
Text
.TH THUMBPRINT 6
|
|
.SH NAME
|
|
thumbprint \- public key thumbprints
|
|
.SH DESCRIPTION
|
|
.PP
|
|
Applications in Plan 9 that use public keys for authentication,
|
|
for example by calling
|
|
.B tlsClient
|
|
and
|
|
.B okThumbprint
|
|
or
|
|
.B okCertificate
|
|
(see
|
|
.IR pushtls (2)),
|
|
check the remote side's public key by comparing against
|
|
thumbprints from a trusted list.
|
|
The list is maintained by people who set local policies
|
|
about which servers can be trusted for which applications,
|
|
thereby playing the role taken by certificate authorities
|
|
in PKI-based systems.
|
|
By convention, these lists are stored as files in
|
|
.B /sys/lib/tls/
|
|
and protected by normal file system permissions.
|
|
.PP
|
|
Such a thumbprint file comprises lines made up of
|
|
attribute/value pairs of the form
|
|
.IB attr = value
|
|
or
|
|
.IR attr .
|
|
The first attribute must be the application tag:
|
|
.B x509
|
|
for tls applications or
|
|
.B ssh
|
|
for ssh server fingerprints.
|
|
The second attribute must be a hash type of
|
|
.B sha1=
|
|
or
|
|
.BI sha256=
|
|
followed by the hex or base64 encoded hash of binary certificate
|
|
or public key.
|
|
All other attributes are treated as comments.
|
|
The file may also contain lines of the form
|
|
.B #include
|
|
.I file
|
|
.PP
|
|
For example, a web server might have thumbprint
|
|
.EX
|
|
x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*.cs.bell-labs.com
|
|
.EE
|
|
.SH "SEE ALSO"
|
|
.IR pushtls (2)
|