[Cryptography] Opinions requested on Sample Root Certificate
Paul F Fraser
paulf at a2zliving.com
Tue Jan 16 23:12:30 EST 2018
On 17/01/2018 1:18 PM, Peter Gutmann wrote:
> Paul F Fraser <paulf at a2zliving.com> writes:
>
>> Opinions on choice of ECDSA-brainpoolP512r1 curve and SHA256WITHECDSA for a
>> root certificate would be the most important.
> I don't think it matters, any modern algorithm will be fine, the failures
> won't happen there but everywhere else. A specific answer will depend more on
> what you want to use it for, do you need to interop with stuff that can't do
> ECC, are there regulatory constraints, do your customers prefer A to B, etc.
>
> Peter.
Ahh, those details.
The network is comprised of nodes that each provide services to one or a small number of users,
perhaps a family or a small business.
Each node runs a webserver that users access from desktops, laptops or mobile devices .
Each node has at least one end user certificate that is an IP address only certificate for external
https access.
A node might also need a localhost certificate and a certificate for internal lan https purposes.
All nodes have a full copy of every other nodes ip address and port. (not a block chain, just a
simple fast lookup)
Nodes communicate with each other via tcp and/or udp to provide services to the users browsing the
server on their own node. Certificates not required here because the p2p network has it's own DH
protocols and does not have to meet the certificate requirements of TLS/SSL.
The reason for ip only certificates is if a nodes IP address changes a new certificate can be issued
quickly for the new IP address over the p2p network of nodes and the old certificate destroyed
automatically by the node software.
So, an intermediate certificate signed by the root certificate we are talking about will be used to
sign end user IP address certificates.
It is in effect a walled network with secure computer and mobile access to it's features.
Paul
More information about the cryptography
mailing list