[zeromq-dev] Proposal for ZeroMQ certificate format
Laurent Alebarde
l.alebarde at free.fr
Wed Oct 16 19:14:34 CEST 2013
Nice !
Le 16/10/2013 19:11, Pieter Hintjens a écrit :
> On Wed, Oct 16, 2013 at 6:57 PM, Laurent Alebarde <l.alebarde at free.fr> wrote:
>
>> Please, keep the public key secret.
> Indeed...
>
> So here's my last proposal before I quit for the day :-)
>
> We use the full SHA512 hash, keeping the public key and metadata
> secret and boxed for the recipient.
>
> We print the full 64-byte signature in the certificate BUT we make it
> possible to do partial random verification.
>
> Depending on the level of trust, parties can verify more or less of
> the fingerprint.
>
> Here's the format I'd suggest:
>
> (00)BB:88:47:1D (01)65:E2:65:9B (02)30:C5:5A:53 (03)21:CE:BB:5A
> (10)AB:2B:70:A3 (11)98:64:5C:26 (12)DC:A2:B2:FC (13)B4:3F:C5:18
> (20)7B:B8:64:B4 (21)89:AF:A3:67 (22)1F:BE:69:10 (23)1F:94:B3:89
> (30)72:F2:48:16 (31)DF:B0:1B:51 (32)65:6B:3F:EC (33)8D:FD:08:88
>
> So when I call Laurent I can say, "what is group 33? 12? 20? 31?"
>
> That keeps the bandwidth of the fingerprint down to a minimum while
> making it impossible for an attacker to pass the test*.
>
> -Pieter
>
> * unless you invoke realtime voice imitation/recognition MIM attacks,
> which make any signature pointless.
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20131016/5c0973dc/attachment.htm>
More information about the zeromq-dev
mailing list