[zeromq-dev] ZAP / Security refactoring

Brian Knox brian.knox at neomailbox.net
Sat Aug 24 14:50:43 CEST 2013 

+1 for minimal plausible security for 4.

On 8/23/2013 5:21 PM, Pieter Hintjens wrote:
> Hmm, the use of multiple security mechanisms was one thing we
> considered and rejected when designing ZMTP 3.0. The problem is that
> you would have to expand the message API to allow the reader to ask
> the security level for each message. If you really want a PLAIN and a
> CURVE mix, you can use two sockets. Allowing more than one mechanism
> per socket makes _everything_ more complex and it's not clear that the
> benefits are worth it.
>
> I'd really like to get 4.0 released with a minimal plausible security
> model, and expand on it later.
>
> Also, if we did have multiple levels per socket, that would not change
> ZAP. The server would just make multiple ZAP requests, one per
> mechanism...
>
> -Pieter
>
> On Fri, Aug 23, 2013 at 7:44 PM, Jeremy Rossi <jeremy at jeremyrossi.com> wrote:
>> I have been spending sometime with zeromq and zap.  With this I am thinking about refactoring the libzmq zap / security code a little to add some features and solve a problem I have.
>>
>> I think we should be able to stack mechanisms.  So that you are are able to use ZMQ_CURVE and ZMQ_PLAIN  on the same socket.  This would allow secure transport of the username/password with out having to manage the keys.  Also in my use case would allow the zap provider to learn the public key of a client while still providing authentication for that learning process.
>>
>> To achieve this I think the ZAP frame generation and processing should be moved to stream_engine.cpp and make calls into the mechanisms to gather the needed information to send to zap endpoint.
>>
>> Figured I would start the chat before working on code and get some feedback.
>>
>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>

More information about the zeromq-dev mailing list