marten-seemann
commented
4 years ago The TLS RFC defines the format for the Certificate extension, and that doesn't allow us to send an opaque blob, even certain implementations don't enforce this.
An alternative would be to use raw public keys (RFC 7250), but we decided against doing this, mainly because none of the TLS implementations we're using offers support for this extension.
The current TLS transport spec specifies that public keys are encoded in X.509 certificates. I think we should reconsider this.
Parsing X.509 is highly nontrivial, and is a significant amount of attack surface. This complexity is just extra overhead in the context of libp2p. I know that
rustlsjust treats certificates as opaque blobs, and I suspect other implementations do as well. So, if I understand correctly, we can put whatever we want there without causing problems.