THUMBPRINT(6)                                       THUMBPRINT(6)

     NAME
          thumbprint - public key thumbprints

     DESCRIPTION
          Applications in Plan 9 that use public keys for
          authentication, for example by calling tlsClient and
          okThumbprint or okCertificate (see pushtls(2)), check the
          remote side's public key by comparing against thumbprints
          from a trusted list.  The list is maintained by people who
          set local policies about which servers can be trusted for
          which applications, thereby playing the role taken by cer-
          tificate authorities in PKI-based systems.  By convention,
          these lists are stored as files in /sys/lib/tls/ and pro-
          tected by normal file system permissions.

          Such a thumbprint file comprises lines made up of
          attribute/value pairs of the form attr=value or attr. The
          first attribute must be the application tag: x509 for tls
          applications or ssh for ssh server fingerprints.  The second
          attribute must be a hash type of sha1= or sha256= followed
          by the hex or base64 encoded hash of binary certificate or
          public key.  All other attributes are treated as comments.
          The file may also contain lines of the form #include file

          For example, a web server might have thumbprint
          x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*.cs.bell-labs.com

     SEE ALSO
          pushtls(2)

     Page 1                       Plan 9            (printed 11/18/24)