On Wed, Oct 9, 2013 at 6:46 AM, T. Linden <tlin...@cpan.org> wrote: > But if you start adding stuff like issuers, certificate chains, signing > and so forth, you'll end up with certificate authorities, maybe you'll > have to pay to get an "official" curve certificate just like it is today > with ssl certificates. This would lead to the same problems of CA's > we've got today: a CA can be compromised (by rogue intelligence agencies > for example, or malicious attackers) and due to the certificate chaining > feature it'll become overly complicated. >
Certificate authorities don't have to be, let's say, DigiNotar, nor do they even have to be organizations you pay money to. A CA is something you can set up internally within an organization to sign certificates that are used by your internal services (this is what we do at my day job at Square) I think even the most basic infrastructural use of CurveZMQ will practically require this: - We want each node in the grid to have a unique certificate/private key - We want nodes in the grid to be able to authenticate each other and determine they actually belong to our org - We don't want to have to pin a bunch of certificates on every single node in the grid every time we add a new node - We don't want to have to consult a central database of trusted certificates every time two nodes try to connect to each other An issuing authority (i.e. Your Organization) trusted by all nodes in the grid solves this problem nicely in a decentralized manner that doesn't involve consulting some trusted central database every time two nodes want to talk. -- Tony Arcieri
_______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
