AkinoKaede
commented
1 month ago RFC 9000 and RFC 9001 require QUIC to be secure, and through TLS. However, I am considering the possibility of deriving X.509 certificates from PSK.
Open DaveWK opened 1 month ago
AkinoKaede
commented
1 month ago RFC 9000 and RFC 9001 require QUIC to be secure, and through TLS. However, I am considering the possibility of deriving X.509 certificates from PSK.
AkinoKaede
commented
1 month ago RFC 9000 and RFC 9001 require QUIC to be secure, and through TLS. However, I am considering the possibility of deriving X.509 certificates from PSK.
After a brief trial, it is feasible but not very secure, as it is equivalent to handing over the private key to the client.
DaveWK
commented
1 month ago Understood -- I guess there is a variant of QUIC called nQUIC but it seems conceptual/early enough at this point that it probably doesn't have quinn/rust support yet
DaveWK
commented
1 month ago I stand corrected.. https://github.com/quinn-rs/quinn/issues/719
AkinoKaede
commented
1 month ago I stand corrected.. quinn-rs/quinn#719
I didn't find a detailed specification and a reliable implementation, and it seems a bit difficult to implement.
Hi, I have been using rathole https://github.com/rapiz1/rathole however it seems development has dropped off. I was hoping they would be adding QUIC support, but am interested that your project is QUIC-native.
One thing I liked about rathole was that it uses Noise protocol (https://github.com/rapiz1/rathole/blob/main/docs/transport.md#noise-protocol ) rather than certificates for authentication. It's much less work to manage than certificates while still providing the benefits of mutual auth/tls. The rathole CLI also has a feature to generate the pub/private keys inside the config, which also makes it a bit simpler and less error-prone.
Was wondering if you'd consider adding support for Noise auth to your project so I can have the best of both? Here's their implementation: https://github.com/rapiz1/rathole/blob/main/src/transport/noise.rs