[zeromq-dev] Certificate formats

Tony Arcieri bascule at gmail.com
Thu Oct 3 22:13:50 CEST 2013


On Wed, Oct 2, 2013 at 12:11 AM, Pieter Hintjens <ph at imatix.com> wrote:

> So this may be a very stupid question, but what does a certificate
> have to hold that is so complex?


Well, first, I'm not sure what I'm describing that's "so complex" ;)
Simplicity is my aim! But there are many things certificates need to do in
the scope of organizational usage, especially in large systems administered
by many people.


> We have one or two keys, some meta
> data... why would you'd be thinking of anything more complex than
> plain text?
>

Certificates need to contain the following:

- Identities (i.e. DNs)
- Relationships between identities (i.e. issuers, chains of trust)
- Keys

In an infrastructural scenario, we may want certificates to all belong to
an organization, but limit authority at various levels of granularity, i.e.:

1) Do we all belong to the same organization?
2) Are we in the same office/country?
3) Are we in the same OU/division/datacenter?


>
> For a grid, yes, a certificate server seems the right model. I've not
> thought about CRLs as we don't have the use case for revocation yet.


If you do have grids that trust a CA for authentication (perhaps checking
OUs or whatever) you will want a way to revoke the keys/certificates of
nodes that are compromised.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131003/008b2a6f/attachment.htm>


More information about the zeromq-dev mailing list