[zeromq-dev] Certificate formats

Tony Arcieri bascule at gmail.com
Thu Oct 10 17:37:43 CEST 2013

On Thu, Oct 10, 2013 at 6:19 AM, T. Linden <tlinden at cpan.org> wrote:

> The third point contradicts the first two, I'd say. If you want to have
> unique keypairs on each node, you'll need to create and/or distribute
> them to every new node.

Yes, each node will need to generate its own keypair, and have a cert
contained its public key signed by the org's CA.

What each node *doesn't* need is to have every single public key of every
other node on the grid.

> >    An issuing authority (i.e. Your Organization) trusted by all nodes in
> the
> >    grid solves this problem nicely in a decentralized manner that doesn't
> >    involve consulting some trusted central database every time two nodes
> want
> >    to talk.
> Actually an issuing authority IS a central instance, IMHO.

I think you're misunderstanding. It's not a database. It's not listening on
a network port. It doesn't have to be available.

 From what I see, you'd need at least the following in such a

> certificate:
> - an OID (or common name, what ever) of the private key
> - the keypair algorithm (Curve25519, maybe others in the future)
> - is the private key encrypted or not (a boolean)
> - if it is encrypted, the encryption scheme used
> - the actual private key
> - the public key (optional)
> - a version number of the certificate file format
> - a version number of the certificate itself (aka serial #)
> - a signature
> - again the scheme used for the signature
> - the OID of the signing private key
> - a timestamp of the creation time
> - optional: expire time

I think I'm halfway there already. Worked on this last night ;)


(actual CFG forthcoming)

That's a lot of stuff and it's not easy to maintain. And it looks like
> X509 again

What you wind up with will, no doubt, be conceptually similar to X.509.
That's not to say that there's zero room for improvement from X.509. Far
from it.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131010/4d15acff/attachment.htm>

More information about the zeromq-dev mailing list