> On Jul 8, 2020, at 1:51 PM, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > > On Wed, Jul 08, 2020 at 01:31:04PM -0400, Felipe Gasper wrote: > >> What I’m looking for is a way to authenticate a user over TLS in >> essentially the same manner that SSH’s handshake uses, where a >> signature of a shared secret validates the public key, which is on a >> preconfigured allowlist. I could do it post-handshake by using RFC >> 5705 key material exports as the shared secret--this usage seems to >> exemplify the intent of that extension--but TLS raw public keys seem a >> bit closer to “prior art”. > > Indeed DANE is only a good fit for authenticating servers, for > authenticating clients, you just want to compute a public key > fingerprint and do a database lookup. > > This is also supported in Postfix, just don't authenticate > the client cert at all (no PKI), grab the key digest and > use it directly for access control. Wouldn’t there need to be a shared secret, though, or some other way for the server to have some influence on the randomness of what the client’s private key signs? (I don’t know TLS well enough to comment on whether that happens in an ordinary TLS handshake, but I assume it does?) -F