I've been working on a certificate format of my own ;) Would be great to combine efforts! I'm still rather open on a number of details.
https://github.com/cryptosphere/cif I'm also in the "gathering requirements" phase, you won't find much of a specification there. Having been up to my eyeballs in X.509 for awhile there's a number of problems I'd like to see solved, though. I should spell them out in the README, but I can spell them out for you here: 1) There should only be one possible (i.e. "distinguished") encoding of any given certificate! 2) Certificates should be human-readable (no ASN.1) 3) It should be easy to extract keys from certificates without a special tool 4) It should be easy to combine certificates and keys without a special tool 5) Distinguished Names should have one, canonical (dare I say "distinguished") representation. I think that representation should be a URI 6) Signatures by an issuer should contain all information necessary to validate a signature from a given trust root. It should not be necessary to assemble certificate chains by hand. I'd like for everything (keys, DNs, etc) to be represented as URIs if possible. I've been looking at self-delimited strings (specifically pkt-lines) as the structuring mechanism. Self-delimiting strings eliminate the need for complex escaping rules (especially if we're encoding strings that already have escaping rules like URIs) and it's trivial to write a parser for them in any language. I could be convinced otherwise, but formats like JSON or TOML would make it difficult to achieve #1 on my list. -- I would also like to address the LANGSEC concerns about X.509/ASN.1. They recommend a regular or context-free grammar, but I've talked with Meredith Patterson about using a context-sensitive grammar, and pkt-lines seem to address their concerns. I strongly recommend reading their paper though, especially if you're trying to design a new certificate format: http://www.cs.dartmouth.edu/~sergey/langsec/papers/langsec-tr.pdf -- Tony Arcieri
_______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
