[zeromq-dev] Certificate formats

Pieter Hintjens ph at imatix.com
Thu Oct 10 19:48:33 CEST 2013


On Thu, Oct 10, 2013 at 7:23 PM, T. Linden <tlinden at cpan.org> wrote:

> It creates a hash from the password and then a hash from that hash,
> 128.000 times. I admit that this kind of key derivation is simple. But
> libsodium doesn't provide one currently.

OK, understood. We'll need to standardize the algorithm here. It would
indeed be best if libsodium would implement scrypt. Since Frank is
using ZeroMQ, it's plausible.

> That's right and it would work, but you can't authenticate clients based
> on their public key then, can you?

The degree of trust you'd have would depend on how you get such
certificates. If they're sent automatically across public internet,
not much trust. If you are copying them manually, over ssh or by USB
key, quite a lot of trust. One could verify a certificate manually
over a separate channel. I don't know... lots of ways that could be
very costly to attack.

Alternatively the server can generate key pairs for clients, but that
flips the problem around.

-Pieter



More information about the zeromq-dev mailing list