updated

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-02-11 10:23:44 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2012-02-11 10:23:44 +0100
commit: cd1a770dccf326aca9763f818880252c8d72f6bd (patch)
tree: a2d9f6b5122d0c80e5894e650c3d09911df35780 /doc/cha-cert-auth.texi
parent: b75c48f0237aa0f22191f563bfd2d198a78bc714 (diff)
download: gnutls-cd1a770dccf326aca9763f818880252c8d72f6bd.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index b03d35daf7..f6824070e5 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -286,8 +286,13 @@ consult @xcite{RFC2818} and section @ref{ex:verify} for an example.
 
 It is possible to use a trust on first use (similar to SSH) authentication 
 method in GnuTLS. That means that having seen and associated a public key 
-with a host is enough to trust it on the subsequent connections.
-A hybrid system with X.509 and SSH authentication is 
+with a host is enough to trust it on the subsequent connections. Such
+a system in combination with the normal CA verification, and OCSP verification,
+can help to provide multiple factor verification, where a single point of
+failure is not enough to compromise the system. For example a server compromise
+may be detected using OCSP, and a CA compromise can be detected using
+the trust on first use method.
+Such a hybrid system with X.509 and SSH authentication is 
 shown in @ref{Simple client example with SSH-style certificate verification}.
 
 @showfuncdesc{gnutls_verify_stored_pubkey}
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-02-11 10:23:44 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2012-02-11 10:23:44 +0100
commit	cd1a770dccf326aca9763f818880252c8d72f6bd (patch)
tree	a2d9f6b5122d0c80e5894e650c3d09911df35780 /doc/cha-cert-auth.texi
parent	b75c48f0237aa0f22191f563bfd2d198a78bc714 (diff)
download	gnutls-cd1a770dccf326aca9763f818880252c8d72f6bd.tar.gz