[zeromq-dev] Certificate formats

Mathias Hablützel habl at zhaw.ch
Tue Oct 1 15:46:26 CEST 2013


On Tue, Oct 01, 2013 at 11:21:58AM +0000, Pieter Hintjens wrote:
> I've started to collect requirements, in the hope we can make a standard format.

Unfortunately I don't see a simple possibility for the other side to
verify if my certificate has not been forged (Certificate Signing).
Though you may use the GPG approach of public crypto servers holding the
signatures but this makes it more complicated than really needed.

So you are basically left with three options IMO:

- PKI as we know it from SSL with CAs
- Web of Trust like GPG/PGP
- Manually add authorized/trusted public keys

Personally I think the best option would be a mix:

1. Check if the public key has been signed with my (server) key
2. IF NOT look up if it has been added to a list/file of allowed keys
   (like ssh does with authorized_keys)

And no, I'm not a cryptographer. :(
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131001/ade6d5f8/attachment.sig>


More information about the zeromq-dev mailing list