[Freeipa-devel] Handling certificates in JSON/XML-RPC

[John Dennis]

On 10/14/2011 03:12 PM, Adam Young wrote:
> I wonder if we need to keep the Binary format for some use cases.  I
> know that there are cases where the PKI code needs to expose
> certificates to the browser as straight binary.  But that would not go
> through the XML or JSON RPCs.  Keep in mind how to do the conversion if
> it becomes necessary and we can talk then.

FWIW PEM is the officially sanctioned mechanism to exchange certs and 
csr's via text protocols that's why we're using it in this context.

The ability to convert text PEM data to binary DER is trivial and is 
widely available.

We got ourselves in trouble in the past by passing unadorned base64 data 
for certs. Because we use base64 data for all binary data IPA it became 
very difficult when looking at a blob of data to know what it was and 
what format it was in (especially since we weren't consistent).

Protocols that pass certs in binary DER form have markers (tags) in the 
protocol which identify the binary data that follows as a DER encoded 
cert, thus the binary exchange of certs do not suffer from the content 
ambiguity we experienced with text protocols (or rather more 
specifically the way we had engineered our use of text protocols).

If we restrict our usage to only PEM or DER it becomes trivial to 
identify the format. And by using PEM exclusively in text protocols we 
have a vastly more robust, portable and industry standard exchange 
mechanism.

Also I suspect "exposing binary DER certs to the browser" is something 
more likely to occur at a different protocol level (e.g. the SSL/TLS 
handshake). The exchange of certs and private keys between people are 
almost always done via PEM and PKCS12 respectively, both of which are 
text based and backed by standards.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/