NAME
thumbprint – public key thumbprints |
DESCRIPTION
Applications in Plan 9 that use public keys for authentication,
for example by calling tlsClient and okThumbprint or okCertificate
(see pushtls(2)), check the remote side's public key by comparing
against thumbprints from a trusted list. The list is maintained
by people who set local policies about which
servers can be trusted for which applications, thereby playing
the role taken by certificate authorities in PKI–based systems.
By convention, these lists are stored as files in /sys/lib/tls/
and protected by normal file system permissions. Such a thumbprint file comprises lines made up of attribute/value pairs of the form attr=value or attr. The first attribute must be the application tag: x509 for tls applications or ssh for ssh server fingerprints. The second attribute must be a hash type of sha1= or sha256= followed by the hex or base64 encoded hash of binary certificate or public key. All other attributes are treated as comments. The file may also contain lines of the form #include file
For example, a web server might have thumbprint |
SEE ALSO
pushtls(2) |