[zeromq-dev] Has anyone actually implemented security?
Pieter Hintjens
ph at imatix.com
Thu May 19 09:42:28 CEST 2011
On Thu, May 19, 2011 at 8:29 AM, Martin Sustrik <sustrik at 250bpm.com> wrote:
> As a side note: end-to-end encrtyption seems to be the only solution for
> large scale pub/sub networks with untrusted middle nodes (devices).
Not just for pub/sub but for any pattern, IMO. If you do request-reply
across a broker, you don't want the broker decrypting and
re-encrypting content. The problem here is that any smart device needs
access to at least part of the message for filtering and/or routing.
So encryption has to be selective, it can't happen at the 0MQ
transport layer. If you disallow devices and do point-to-point
messaging, you can envisage transport layer security.
So cutting out the philosophy, we have two known solutions for
security. One is per-message encryption with out-of-band key
distribution, which is ideal for pubsub flows over TCP or PGM. Salt
proves this design. Second option is bridging over HTTPS, for
Internet-scale distribution. There are at least two or three such
projects in progress, though they may still be at the HTTP stage
(without the SSL parts yet).
-Pieter
More information about the zeromq-dev
mailing list