[zeromq-dev] CurveZMQ availability plan ?
Pieter Hintjens
ph at imatix.com
Thu Aug 8 22:21:06 CEST 2013
On Thu, Aug 8, 2013 at 4:48 PM, Laurent Alebarde <l.alebarde at free.fr> wrote:
> Some other parts remain mysterious to me in
> their justification, but that's security aspects and I have just to say
> "amen".
My advice is to read the CurveCP site about 10 times over a week or
two. It really takes some digesting, and then it will become clear.
> "So to create a Box [X](C->S) we sign using c and encrypt using S. To open
> the box we authenticate using C and open using s."
Is correct. Box [X](C'->S') would be signed using c' and encrypted using S'.
> Concerning ZAP, I have re-read the RFC27 and
> https://github.com/zeromq/rfc/blob/master/src/spec_27.c. Both the use cases
> and how to use it are unclear to me. BTW, it seems from RFC26 that CurveZMQ
> provides server and client authentication. So, why would we need ZAP ? There
> is something I don't catch.
One client socket can connect to one server and the server public key
is assertive, i.e. you set it before connecting using a socket option,
and if the key is invalid the connection will not succeed.
One server socket can accept many client connections and
authentication happens out-of-band, invisibly to the socket reader.
That happens via ZAP.
-Pieter
More information about the zeromq-dev
mailing list