[zeromq-dev] Certificate formats

Pieter Hintjens ph at imatix.com
Fri Oct 11 16:22:32 CEST 2013


OK, so I'm taking the SSH2 format, more or less, and expanding on that
to make something that covers our needs. I'll post a proposal shortly
(was going to do it this morning but got sidetracked installing Ubuntu
onto an old laptop).

On Fri, Oct 11, 2013 at 2:15 PM, T. Linden <tlinden at cpan.org> wrote:
>> I'd rather have a single format for all variants. It means one parser.
>
> One more point: You're talking about parsers, because one of the
> objectives is to have a format recognizable by humans like the one
> proposed by Tony. That's a good idea but it has a drawback: if it's
> readable by humans it's editable by humans as well. A parser for it has
> to be very robust therefore.
>
> So, why not using something easily recognizable by software, encoding it
> with something like DER and putting the same information in human
> readable form into the cert as well. Eg:
>
> -----BEGIN CURVE CERTIFICATE BLOCK-----
> email: foo at bar
> oid: CN=foo.bar/ORG=blah
> public-key: "<0<Q15Hu+:}DlM9>W@$k:IPzurEqX4+N1<$@uczj"
>
> IyAgICoqKiogIEdlbmVyYXRlZCBvbiAyMDEzLTA5LTI5IDAwOjMzOjIwIGJ5IENa
> TVEgICoqKioKIyAgIFplcm9NUSBDVVJWRSBQdWJsaWMgQ2VydGlmaWNhdGUKIyAg
> IEV4Y2hhbmdlIHNlY3VyZWx5LCBvciB1c2UgYSBzZWN1cmUgbWVjaGFuaXNtIHRv
> IHZlcmlmeSB0aGUgY29udGVudHMKIyAgIG9mIHRoaXMgZmlsZSBhZnRlciBleGNo
> YW5nZS4gU3RvcmUgcHVibGljIGNlcnRpZmljYXRlcyBpbiB5b3VyIGhvbWUKIyAg
> IGRpcmVjdG9yeSwgaW4gdGhlIC5jdXJ2ZSBzdWJkaXJlY3RvcnkuCgptZXRhZGF0
> YQogICAgbmFtZSA9ICJrIgogICAgYWVzMjU2LWVuY3J5cHRlZC1zZWNyZXQgPSAi
> ZGlzYWJsZWQiCiAgICBvcmcgPSAieCIKICAgIGVtYWlsID0gImEiCmN1cnZlCiAg
> ICBwdWJsaWMta2V5ID0gIjwwPFExNUh1Kzp9RGxNOT5XQCRrOklQenVyRXFYNCtO
> MTwkQHVjemoiCg==
> -----BEGIN CURVE CERTIFICATE BLOCK-----
>
> A parser would then just ignore the human-readable stuff and only use
> the encoded content. So, if someone edits the stuff, it doesn't matter
> and will not make the certificate invalid.
>
> Of course such a solution would require users to use a tool to maintain
> certificates. But it doesn't work without a tool anyway, since the
> keypairs cannot be created "by hand".
>
>
>
> best regards,
> Tom
>
> --
>     PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
> S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
>  Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



More information about the zeromq-dev mailing list