THUMBPRINT(6)                                       THUMBPRINT(6)

     NAME
          thumbprint - public key thumbprints

     DESCRIPTION
          Applications in Plan 9 that use public keys for
          authentication, for example by calling tlsClient and
          okThumbprint (see pushtls(2)), check the remote side's pub-
          lic key by comparing against thumbprints from a trusted
          list.  The list is maintained by people who set local poli-
          cies about which servers can be trusted for which applica-
          tions, thereby playing the role taken by certificate author-
          ities in PKI-based systems.  By convention, these lists are
          stored as files in /sys/lib/tls/ and protected by normal
          file system permissions.

          Such a thumbprint file comprises lines made up of
          attribute/value pairs of the form attr=value or attr. The
          first attribute must be x509 and the second must be
          sha1={hexchecksumofbinarycertificate}.  All other attributes
          are treated as comments.  The file may also contain lines of
          the form #includefile

          For example, a web server might have thumbprint
          x509 sha1=8fe472d31b360a8303cd29f92bd734813cbd923c cn=*.cs.bell-labs.com

     SEE ALSO
          pushtls(2)

     Page 1                       Plan 9            (printed 11/18/24)