[zeromq-dev] Proposal for ZeroMQ certificate format

Pieter Hintjens ph at imatix.com
Wed Oct 16 15:21:25 CEST 2013


http://en.wikipedia.org/wiki/Public_key_fingerprint is relevant and
describes the use case and vulnerabilities accurately.

We have, I think, three options:

- MD5 fingerprinting, with the risk of collisions
- a more secure hash, which we must truncate to fit the use case, e.g.
first 6 bytes of SHA512 hash
- no fingerprinting at all

-Pieter


On Wed, Oct 16, 2013 at 3:08 PM, T. Linden <tlinden at cpan.org> wrote:
> On Wed, Oct 16, 2013 at 01:59:54PM +0200, Pieter Hintjens wrote:
>> However I'm not convinced we can ignore manual verification. If I send
>> you my public key and then call you to check whether you got it, how
>> are you going to tell me what you got?
>
> Well, that's an argument.
>
> Then what about some kind of id? Something like PGP is using, e.g.:
> 0xA8960B17? I've got no clue how it's computed but such a key-id is
> short enough for user verification.
>
>
>
> regards,
> Tom
>
> --
>     PGP Key: https://www.daemon.de/txt/tom-pgp-pubkey.txt
> S/Mime Cert: https://www.daemon.de/txt/tom-smime-cert.pem
>  Bitmessage: BM-2DAcYUx3xByfwbx2bYYxeXgq3zDscez8wC
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



-- 
-
Pieter Hintjens
CEO of iMatix.com
Founder of ZeroMQ community
blog: http://hintjens.com



More information about the zeromq-dev mailing list