[zeromq-dev] Certificate formats
Tony Arcieri
bascule at gmail.com
Thu Oct 3 22:13:50 CEST 2013
On Wed, Oct 2, 2013 at 12:11 AM, Pieter Hintjens <ph at imatix.com> wrote:
> So this may be a very stupid question, but what does a certificate
> have to hold that is so complex?
Well, first, I'm not sure what I'm describing that's "so complex" ;)
Simplicity is my aim! But there are many things certificates need to do in
the scope of organizational usage, especially in large systems administered
by many people.
> We have one or two keys, some meta
> data... why would you'd be thinking of anything more complex than
> plain text?
>
Certificates need to contain the following:
- Identities (i.e. DNs)
- Relationships between identities (i.e. issuers, chains of trust)
- Keys
In an infrastructural scenario, we may want certificates to all belong to
an organization, but limit authority at various levels of granularity, i.e.:
1) Do we all belong to the same organization?
2) Are we in the same office/country?
3) Are we in the same OU/division/datacenter?
>
> For a grid, yes, a certificate server seems the right model. I've not
> thought about CRLs as we don't have the use case for revocation yet.
If you do have grids that trust a CA for authentication (perhaps checking
OUs or whatever) you will want a way to revoke the keys/certificates of
nodes that are compromised.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131003/008b2a6f/attachment.htm>
More information about the zeromq-dev
mailing list