[zeromq-dev] Certificate formats

Tony Arcieri bascule at gmail.com
Fri Oct 4 19:44:59 CEST 2013

On Thu, Oct 3, 2013 at 10:13 PM, Tom Cocagne <tom.cocagne at gmail.com> wrote:

> ==== Begin ZMQ Cert ====
> uuid: 9af3d710-e762-4cf4-a9cb-e5a5899bf3c8
> public_key: 81A...BF
> [org.cocagne.home_network]
>     name: cool_zmq_app_server
>     webserver_port: 1234
> [zmq.rfc1034]
>     dns_name: org.cocagne.home_network.cool_zmq_app_server
>     http_port: 1234
>     client_authentication_required: True
> [signatures]
> ...
> ==== End ZMQ Cert ====

This is a nice start! Some comments:

- Blocks are good. Yay!
- This looks somewhere in the middle of YAML and TOML/"INI". Would it be
worthwhile to adopt one of these conventions? Perhaps a subset of YAML?
- That said, you have [...] blocks like TOML/"INI" but indentation like
YAML. I think I kind of like it despite the fact it's a bit of a wacky
combo ;)
- What is the source of the UUID? Random? Deterministic? I think it would
be good if certificates had a canonical, "distinguished" form which is
completely deterministic. Given the same inputs we should arrive at the
same certificate every time
- You have a signatures section. What part of the document actually gets
signed? Wouldn't it make more sense for the signature to be independent of
the certificate? What algorithm is used for the signature, and how do you
specify that?
- You have no info about what the public key is. What cipher is it using? I
think keys should be URIs

Some other notes on "minimum requirements" for a certificate format, IMO:

- The certificate format should be describable by a Parsing Expression
- Certificate chains must be supported. We should always think of the
certificate language as being N blocks long
- Order of certificates/keys in a chain shouldn't matter

Other general suggestions:

- Private keys should be separate from the certificate but can be combined
into a chain
- We need a way to encrypt private keys!
- Certificates IDs should be content hashes
- We should sign the Certificate ID
- We should be able to append the signature to the certificate chain

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131004/1091534e/attachment.htm>

More information about the zeromq-dev mailing list