Clarify certificate encoding format: base64(DER) vs base64(PEM)

### Bug description

The [Device Client Onboarding](https://docs.margo.org/specification/margo-management-interface/device-client-onboarding) section states:

> `certificate` - Base64-encoded X.509 certificate of the client

This is ambiguous. "Base64-encoded X.509 certificate" could mean:

1. **base64(DER)** - Raw DER bytes, base64-encoded (e.g., `MIIDdz...`)
2. **base64(PEM)** - PEM file base64-encoded again (e.g.,`LS0tLS1CRUdJTi...`)

The example in the spec shows `"certificate": "MIIDdzCCAl+gAwIBAgIEb1..."` which is **base64(DER)**. The sandbox implementation uses **base64(PEM)**.

### Proposed fix

**Recommendation: Standardize on base64(DER)**

**base64(DER)** is smaller, JSON-friendly, and matches what other specs such as [JWS](https://www.rfc-editor.org/rfc/rfc7515#section-4.1.6) use to encode certificates. **base64(PEM)** would double-encode the certificate with base64.

**Suggested spec wording:**
> `certificate` - Base64-encoded DER X.509 certificate (raw binary, no PEM headers).

### Anything else (optional)

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Clarify certificate encoding format: base64(DER) vs base64(PEM) #132

Bug description

Proposed fix

Anything else (optional)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Clarify certificate encoding format: base64(DER) vs base64(PEM) #132

Description

Bug description

Proposed fix

Anything else (optional)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions