From: Nikos Mavrogiannopoulos Date: Sat, 11 Feb 2012 09:23:44 +0000 (+0100) Subject: updated X-Git-Tag: gnutls_3_0_13~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cd1a770dccf326aca9763f818880252c8d72f6bd;p=thirdparty%2Fgnutls.git updated --- diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index b03d35daf7..f6824070e5 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -286,8 +286,13 @@ consult @xcite{RFC2818} and section @ref{ex:verify} for an example. It is possible to use a trust on first use (similar to SSH) authentication method in GnuTLS. That means that having seen and associated a public key -with a host is enough to trust it on the subsequent connections. -A hybrid system with X.509 and SSH authentication is +with a host is enough to trust it on the subsequent connections. Such +a system in combination with the normal CA verification, and OCSP verification, +can help to provide multiple factor verification, where a single point of +failure is not enough to compromise the system. For example a server compromise +may be detected using OCSP, and a CA compromise can be detected using +the trust on first use method. +Such a hybrid system with X.509 and SSH authentication is shown in @ref{Simple client example with SSH-style certificate verification}. @showfuncdesc{gnutls_verify_stored_pubkey}