[zeromq-dev] Certificate formats

T. Linden tlinden at cpan.org
Fri Oct 11 14:15:30 CEST 2013


> I'd rather have a single format for all variants. It means one parser.

One more point: You're talking about parsers, because one of the
objectives is to have a format recognizable by humans like the one
proposed by Tony. That's a good idea but it has a drawback: if it's
readable by humans it's editable by humans as well. A parser for it has
to be very robust therefore.

So, why not using something easily recognizable by software, encoding it
with something like DER and putting the same information in human
readable form into the cert as well. Eg:

-----BEGIN CURVE CERTIFICATE BLOCK-----
email: foo at bar
oid: CN=foo.bar/ORG=blah
public-key: "<0<Q15Hu+:}DlM9>W@$k:IPzurEqX4+N1<$@uczj"

IyAgICoqKiogIEdlbmVyYXRlZCBvbiAyMDEzLTA5LTI5IDAwOjMzOjIwIGJ5IENa
TVEgICoqKioKIyAgIFplcm9NUSBDVVJWRSBQdWJsaWMgQ2VydGlmaWNhdGUKIyAg
IEV4Y2hhbmdlIHNlY3VyZWx5LCBvciB1c2UgYSBzZWN1cmUgbWVjaGFuaXNtIHRv
IHZlcmlmeSB0aGUgY29udGVudHMKIyAgIG9mIHRoaXMgZmlsZSBhZnRlciBleGNo
YW5nZS4gU3RvcmUgcHVibGljIGNlcnRpZmljYXRlcyBpbiB5b3VyIGhvbWUKIyAg
IGRpcmVjdG9yeSwgaW4gdGhlIC5jdXJ2ZSBzdWJkaXJlY3RvcnkuCgptZXRhZGF0
YQogICAgbmFtZSA9ICJrIgogICAgYWVzMjU2LWVuY3J5cHRlZC1zZWNyZXQgPSAi
ZGlzYWJsZWQiCiAgICBvcmcgPSAieCIKICAgIGVtYWlsID0gImEiCmN1cnZlCiAg
ICBwdWJsaWMta2V5ID0gIjwwPFExNUh1Kzp9RGxNOT5XQCRrOklQenVyRXFYNCtO
MTwkQHVjemoiCg==
-----BEGIN CURVE CERTIFICATE BLOCK-----

A parser would then just ignore the human-readable stuff and only use
the encoded content. So, if someone edits the stuff, it doesn't matter
and will not make the certificate invalid.

Of course such a solution would require users to use a tool to maintain
certificates. But it doesn't work without a tool anyway, since the
keypairs cannot be created "by hand".



best regards,
Tom

-- 
    PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
 Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the zeromq-dev mailing list