💾 Archived View for bbs.geminispace.org › s › Gemini › 1111 captured on 2023-11-14 at 08:24:57. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
hobby coder here with a question. When implementing client authentication, do we just store the tls client hash? If so how is this not able to be spoofed? I'm guessing there is some public key authentication going on in the background. looking at the spec and some searches only helped a little.
May 27 · 6 months ago
the certificate is signed -> the certificate cannot be generated without the owner's private key -> the certificate's hash cannot be generated without the owner's private key -> the certificate hash cannot be spoofed
You may be interested in this thread where the same topic came up:
I had a big problem convincing people on another project that the way client hashes are used are in fact secure (since I asked how to do that in a Java server). In the end it turned out to work quite well, I use that in my chat server
perfect, that's what I thought. thanks everyone!