On Tue, Oct 01, 2013 at 11:21:58AM +0000, Pieter Hintjens wrote: > I've started to collect requirements, in the hope we can make a standard > format.
Unfortunately I don't see a simple possibility for the other side to verify if my certificate has not been forged (Certificate Signing). Though you may use the GPG approach of public crypto servers holding the signatures but this makes it more complicated than really needed. So you are basically left with three options IMO: - PKI as we know it from SSL with CAs - Web of Trust like GPG/PGP - Manually add authorized/trusted public keys Personally I think the best option would be a mix: 1. Check if the public key has been signed with my (server) key 2. IF NOT look up if it has been added to a list/file of allowed keys (like ssh does with authorized_keys) And no, I'm not a cryptographer. :(
pgp69zzFybrVx.pgp
Description: PGP signature
_______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
