[zeromq-dev] Certificate formats

Tony Arcieri bascule at gmail.com
Tue Oct 15 17:55:44 CEST 2013

On Fri, Oct 11, 2013 at 5:15 AM, T. Linden <tlinden at cpan.org> wrote:

> That's a good idea but it has a drawback: if it's readable by humans
it's editable by humans as well. A parser for it has to be very robust

Yes, this is why I'm proposing to have extremely strict rules about what's
considered a valid certificate, and also suggesting using content hashes
(perhaps in a DKIM-like fashion) to identify certificates, i.e.: if you
make any changes to a certificate, it becomes a new certificate entirely.

So, why not using something easily recognizable by software, encoding it
> with something like DER and putting the same information in human
> readable form into the cert as well.

This sounds a lot like PKCS#12 "Friendly Names", which if I was happy with
I'd just use PKCS#12 ;)

There's a few reasons why I don't like this:

- Duplication of information makes certificates longer. IMO longer
certificates are hard to work with
- Not all of the information is human readable. Ideally I'd like to make
everything human readable (albeit not memorable)
- I would like for humans to be able to work with the certificates without
tools, extracting bits and pieces of them (e.g. keys) without having to
resort to e.g. openssl x509/pkcs12

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131015/28ec5e35/attachment.htm>

More information about the zeromq-dev mailing list