THUMBPRINT(6) THUMBPRINT(6) NAME thumbprint - public key thumbprints DESCRIPTION Applications in Plan 9 that use public keys for authentication, for example by calling tlsClient and okThumbprint or okCertificate (see pushtls(2)), check the remote side's public key by comparing against thumbprints from a trusted list. The list is maintained by people who set local policies about which servers can be trusted for which applications, thereby playing the role taken by cer- tificate authorities in PKI-based systems. By convention, these lists are stored as files in /sys/lib/tls/ and pro- tected by normal file system permissions. Such a thumbprint file comprises lines made up of attribute/value pairs of the form attr=value or attr. The first attribute must be the application tag: x509 for tls applications or ssh for ssh server fingerprints. The second attribute must be a hash type of sha1= or sha256= followed by the hex or base64 encoded hash of binary certificate or public key. All other attributes are treated as comments. The file may also contain lines of the form #include file For example, a web server might have thumbprint x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*.cs.bell-labs.com SEE ALSO pushtls(2) Page 1 Plan 9 (printed 12/21/24)