[zeromq-dev] Certificate formats

Thomas S Hatch thatch45 at gmail.com
Fri Oct 11 23:39:37 CEST 2013


I did want to interject, that using something like DER can be a real pain,
but as long as it is also human readable then I won't complain :)

Thomas S. Hatch  |  Founder, CTO


5272 South College Drive, Suite 301 | Murray, UT 84123
thatch at saltstack.com | www.saltstack.com <http://saltstack.com/>


On Fri, Oct 11, 2013 at 8:22 AM, Pieter Hintjens <ph at imatix.com> wrote:

> OK, so I'm taking the SSH2 format, more or less, and expanding on that
> to make something that covers our needs. I'll post a proposal shortly
> (was going to do it this morning but got sidetracked installing Ubuntu
> onto an old laptop).
>
> On Fri, Oct 11, 2013 at 2:15 PM, T. Linden <tlinden at cpan.org> wrote:
> >> I'd rather have a single format for all variants. It means one parser.
> >
> > One more point: You're talking about parsers, because one of the
> > objectives is to have a format recognizable by humans like the one
> > proposed by Tony. That's a good idea but it has a drawback: if it's
> > readable by humans it's editable by humans as well. A parser for it has
> > to be very robust therefore.
> >
> > So, why not using something easily recognizable by software, encoding it
> > with something like DER and putting the same information in human
> > readable form into the cert as well. Eg:
> >
> > -----BEGIN CURVE CERTIFICATE BLOCK-----
> > email: foo at bar
> > oid: CN=foo.bar/ORG=blah
> > public-key: "<0<Q15Hu+:}DlM9>W@$k:IPzurEqX4+N1<$@uczj"
> >
> > IyAgICoqKiogIEdlbmVyYXRlZCBvbiAyMDEzLTA5LTI5IDAwOjMzOjIwIGJ5IENa
> > TVEgICoqKioKIyAgIFplcm9NUSBDVVJWRSBQdWJsaWMgQ2VydGlmaWNhdGUKIyAg
> > IEV4Y2hhbmdlIHNlY3VyZWx5LCBvciB1c2UgYSBzZWN1cmUgbWVjaGFuaXNtIHRv
> > IHZlcmlmeSB0aGUgY29udGVudHMKIyAgIG9mIHRoaXMgZmlsZSBhZnRlciBleGNo
> > YW5nZS4gU3RvcmUgcHVibGljIGNlcnRpZmljYXRlcyBpbiB5b3VyIGhvbWUKIyAg
> > IGRpcmVjdG9yeSwgaW4gdGhlIC5jdXJ2ZSBzdWJkaXJlY3RvcnkuCgptZXRhZGF0
> > YQogICAgbmFtZSA9ICJrIgogICAgYWVzMjU2LWVuY3J5cHRlZC1zZWNyZXQgPSAi
> > ZGlzYWJsZWQiCiAgICBvcmcgPSAieCIKICAgIGVtYWlsID0gImEiCmN1cnZlCiAg
> > ICBwdWJsaWMta2V5ID0gIjwwPFExNUh1Kzp9RGxNOT5XQCRrOklQenVyRXFYNCtO
> > MTwkQHVjemoiCg==
> > -----BEGIN CURVE CERTIFICATE BLOCK-----
> >
> > A parser would then just ignore the human-readable stuff and only use
> > the encoded content. So, if someone edits the stuff, it doesn't matter
> > and will not make the certificate invalid.
> >
> > Of course such a solution would require users to use a tool to maintain
> > certificates. But it doesn't work without a tool anyway, since the
> > keypairs cannot be created "by hand".
> >
> >
> >
> > best regards,
> > Tom
> >
> > --
> >     PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
> > S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
> >  Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131011/1e731217/attachment.htm>


More information about the zeromq-dev mailing list