[Cryptography] Opinions requested on Sample Root Certificate

[Paul F Fraser]

On 17/01/2018 1:18 PM, Peter Gutmann wrote:
> Paul F Fraser <paulf at a2zliving.com> writes:
>
>> Opinions on choice of  ECDSA-brainpoolP512r1 curve and SHA256WITHECDSA for a
>> root certificate would be the most important.
> I don't think it matters, any modern algorithm will be fine, the failures
> won't happen there but everywhere else.  A specific answer will depend more on
> what you want to use it for, do you need to interop with stuff that can't do
> ECC, are there regulatory constraints, do your customers prefer A to B, etc.
>
> Peter.
Ahh, those details.

The network is comprised of nodes that each provide services to one or a small number of users, 
perhaps a family or a small business.
Each node runs a webserver that users access from desktops, laptops or mobile devices .

Each node has at least one end user certificate that is an IP address only certificate for external 
https access.
A node might also need a localhost certificate and a certificate for internal lan https purposes.

All nodes have a full copy of every other nodes ip address and port. (not a block chain, just a 
simple fast lookup)

Nodes communicate with each other via tcp and/or udp to provide services to the users browsing the 
server on their own node. Certificates not required here because the p2p network has it's own DH 
protocols and does not have to meet the certificate requirements of TLS/SSL.

The reason for ip only certificates is if a nodes IP address changes a new certificate can be issued 
quickly for the new IP address over the p2p network of nodes and the old certificate destroyed 
automatically by the node software.

So, an intermediate certificate signed by the root certificate we are talking about will be used to 
sign end user IP address certificates.

It is in effect a walled network with secure computer and mobile access to it's features.

Paul