[zeromq-dev] Has anyone actually implemented security?

Pieter Hintjens ph at imatix.com
Thu May 19 09:42:28 CEST 2011

On Thu, May 19, 2011 at 8:29 AM, Martin Sustrik <sustrik at 250bpm.com> wrote:

> As a side note: end-to-end encrtyption seems to be the only solution for
> large scale pub/sub networks with untrusted middle nodes (devices).

Not just for pub/sub but for any pattern, IMO. If you do request-reply
across a broker, you don't want the broker decrypting and
re-encrypting content. The problem here is that any smart device needs
access to at least part of the message for filtering and/or routing.
So encryption has to be selective, it can't happen at the 0MQ
transport layer. If you disallow devices and do point-to-point
messaging, you can envisage transport layer security.

So cutting out the philosophy, we have two known solutions for
security. One is per-message encryption with out-of-band key
distribution, which is ideal for pubsub flows over TCP or PGM. Salt
proves this design. Second option is bridging over HTTPS, for
Internet-scale distribution. There are at least two or three such
projects in progress, though they may still be at the HTTP stage
(without the SSL parts yet).


More information about the zeromq-dev mailing list