[zeromq-dev] Certificate formats

Tony Arcieri bascule at gmail.com
Wed Oct 2 02:18:54 CEST 2013


I've been working on a certificate format of my own ;) Would be great to
combine efforts! I'm still rather open on a number of details.

https://github.com/cryptosphere/cif

I'm also in the "gathering requirements" phase, you won't find much of a
specification there. Having been up to my eyeballs in X.509 for awhile
there's a number of problems I'd like to see solved, though. I should spell
them out in the README, but I can spell them out for you here:

1) There should only be one possible (i.e. "distinguished") encoding of any
given certificate!
2) Certificates should be human-readable (no ASN.1)
3) It should be easy to extract keys from certificates without a special
tool
4) It should be easy to combine certificates and keys without a special tool
5) Distinguished Names should have one, canonical (dare I say
"distinguished") representation. I think that representation should be a URI
6) Signatures by an issuer should contain all information necessary to
validate a signature from a given trust root. It should not be necessary to
assemble certificate chains by hand.

I'd like for everything (keys, DNs, etc) to be represented as URIs if
possible.

I've been looking at self-delimited strings (specifically pkt-lines) as the
structuring mechanism. Self-delimiting strings eliminate the need for
complex escaping rules (especially if we're encoding strings that already
have escaping rules like URIs) and it's trivial to write a parser for them
in any language.

I could be convinced otherwise, but formats like JSON or TOML would make it
difficult to achieve #1 on my list.

--

I would also like to address the LANGSEC concerns about X.509/ASN.1. They
recommend a regular or context-free grammar, but I've talked with Meredith
Patterson about using a context-sensitive grammar, and pkt-lines seem to
address their concerns.

I strongly recommend reading their paper though, especially if you're
trying to design a new certificate format:

http://www.cs.dartmouth.edu/~sergey/langsec/papers/langsec-tr.pdf

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131001/2509003d/attachment-0001.htm>


More information about the zeromq-dev mailing list