[zeromq-dev] SASL support?

Daniel Cegiełka daniel.cegielka at gmail.com
Mon Jan 25 21:08:47 CET 2010


According to Adrian: wait, wait, wait...

There is no problem to use ZMQ in corporate network. There is no problem, to
use ZMQ between selected network/clients based on IPSec or VPN connections..
stunnel... or even there is no problem to send encrypted messages like:
http://www.cypherpunks.ca/otr/ or OpenPGP.

But this aspects need to be discussed, what kind of security ZMQ need to
provide it-self. It's good to see how OpenAMQ (privilege separation, ACL) or
Qpid (ACL, SSL, Kerberos) works in this area.

If some company plan to give customers some kind of services (market data,
orders management) and they have OpenAMQ with "is designed for intranet use
and does not provide encryption, secure authentication, or access controls"
and Qpid where:

http://qpid.apache.org/faq.html#FAQ-Security

what they choose?

More, ZMQ was designed for financials services. FIX5 protocol need secure
transport layer (like AMQP?) and this is a chance for ZMQ with strong
security support.

http://www.fixprotocol.org/documents/3556/FIX%20Security%20White%20Paper.pdf

Security is not neutral for latency and low latency is one of the most
important aspects of ZMQ, so it's good to think about.

regards,
daniel





2010/1/25 Adrian von Bidder <avbidder at fortytwo.ch>

> On Monday 25 January 2010 14.15:35 Martin Sustrik wrote:
> > I am in no way a security expert, that's why I would prefer others to
> > discuss the issue :)
>
> AOL!!1!
>
> > Anyway, my feeling is that there are solutions that do security on the
> > networking level (IPsec). Using such solutions would allow us to do with
> > no or very thin security support in 0MQ itself AFAIU.
>
> From an application programmer's perspective, I'm not sure the network
> level
> is the right place for all of this.  Especially authentication (encryption
> possibly less so) is often tightly coupled to authorization (key / token /
> passowrd / ... management based on software component / user / ...) which,
> to me, would suggest a layer that sits between 0MQ and the application.
>
> Either way: it might be good for 0MQ to explicitly state that it doesn't
> care about security by itself, but concentrates on getting the bytes over
> the network fast.  Together with pointers to solutions that implement
> security, this should keep 0MQ thin - depending on application, varous
> securrity strategies are obviously possible, and supporting them all would
> only bloat 0MQ (... until it becomes yet another of these huge enterprisey
> middlewares ... ;-)
>
> Just my CHF .02
>
> cheers
> -- vbi
>
>
> --
> To me vi is Zen.  To use vi is to practice zen. Every command is a koan.
> Profound to the user, unintelligible to the uninitiated.  You discover
> truth everytime you use it.
>        -- reddy at lion.austin.ibm.com
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20100125/deb6d344/attachment.htm>


More information about the zeromq-dev mailing list