[zeromq-dev] Certificate formats

Tony Arcieri bascule at gmail.com
Wed Oct 9 18:21:29 CEST 2013


On Wed, Oct 9, 2013 at 6:46 AM, T. Linden <tlinden at cpan.org> wrote:

> But if you start adding stuff like issuers, certificate chains, signing
> and so forth, you'll end up with certificate authorities, maybe you'll
> have to pay to get an "official" curve certificate just like it is today
> with ssl certificates. This would lead to the same problems of CA's
> we've got today: a CA can be compromised (by rogue intelligence agencies
> for example, or malicious attackers) and due to the certificate chaining
> feature it'll become overly complicated.
>

Certificate authorities don't have to be, let's say, DigiNotar, nor do they
even have to be organizations you pay money to. A CA is something you can
set up internally within an organization to sign certificates that are used
by your internal services (this is what we do at my day job at Square)

I think even the most basic infrastructural use of CurveZMQ will
practically require this:

   - We want each node in the grid to have a unique certificate/private key
   - We want nodes in the grid to be able to authenticate each other and
   determine they actually belong to our org
   - We don't want to have to pin a bunch of certificates on every single
   node in the grid every time we add a new node
   - We don't want to have to consult a central database of trusted
   certificates every time two nodes try to connect to each other

An issuing authority (i.e. Your Organization) trusted by all nodes in the
grid solves this problem nicely in a decentralized manner that doesn't
involve consulting some trusted central database every time two nodes want
to talk.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131009/ba489757/attachment.htm>


More information about the zeromq-dev mailing list