On 10/14/2011 03:12 PM, Adam Young wrote:
I wonder if we need to keep the Binary format for some use cases. I know that there are cases where the PKI code needs to expose certificates to the browser as straight binary. But that would not go through the XML or JSON RPCs. Keep in mind how to do the conversion if it becomes necessary and we can talk then.
FWIW PEM is the officially sanctioned mechanism to exchange certs and csr's via text protocols that's why we're using it in this context.
The ability to convert text PEM data to binary DER is trivial and is widely available.
We got ourselves in trouble in the past by passing unadorned base64 data for certs. Because we use base64 data for all binary data IPA it became very difficult when looking at a blob of data to know what it was and what format it was in (especially since we weren't consistent).
Protocols that pass certs in binary DER form have markers (tags) in the protocol which identify the binary data that follows as a DER encoded cert, thus the binary exchange of certs do not suffer from the content ambiguity we experienced with text protocols (or rather more specifically the way we had engineered our use of text protocols).
If we restrict our usage to only PEM or DER it becomes trivial to identify the format. And by using PEM exclusively in text protocols we have a vastly more robust, portable and industry standard exchange mechanism.
Also I suspect "exposing binary DER certs to the browser" is something more likely to occur at a different protocol level (e.g. the SSL/TLS handshake). The exchange of certs and private keys between people are almost always done via PEM and PKCS12 respectively, both of which are text based and backed by standards.
-- John Dennis <[email protected]> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
