On Thu, Oct 3, 2013 at 10:13 PM, Tom Cocagne <[email protected]> wrote:
> ==== Begin ZMQ Cert ==== > uuid: 9af3d710-e762-4cf4-a9cb-e5a5899bf3c8 > public_key: 81A...BF > [org.cocagne.home_network] > name: cool_zmq_app_server > webserver_port: 1234 > [zmq.rfc1034] > dns_name: org.cocagne.home_network.cool_zmq_app_server > http_port: 1234 > client_authentication_required: True > [signatures] > ... > ==== End ZMQ Cert ==== > This is a nice start! Some comments: - Blocks are good. Yay! - This looks somewhere in the middle of YAML and TOML/"INI". Would it be worthwhile to adopt one of these conventions? Perhaps a subset of YAML? - That said, you have [...] blocks like TOML/"INI" but indentation like YAML. I think I kind of like it despite the fact it's a bit of a wacky combo ;) - What is the source of the UUID? Random? Deterministic? I think it would be good if certificates had a canonical, "distinguished" form which is completely deterministic. Given the same inputs we should arrive at the same certificate every time - You have a signatures section. What part of the document actually gets signed? Wouldn't it make more sense for the signature to be independent of the certificate? What algorithm is used for the signature, and how do you specify that? - You have no info about what the public key is. What cipher is it using? I think keys should be URIs Some other notes on "minimum requirements" for a certificate format, IMO: - The certificate format should be describable by a Parsing Expression Grammar - Certificate chains must be supported. We should always think of the certificate language as being N blocks long - Order of certificates/keys in a chain shouldn't matter Other general suggestions: - Private keys should be separate from the certificate but can be combined into a chain - We need a way to encrypt private keys! - Certificates IDs should be content hashes - We should sign the Certificate ID - We should be able to append the signature to the certificate chain -- Tony Arcieri
_______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
