[zeromq-dev] ZAP / Security refactoring

Pieter Hintjens ph at imatix.com
Sat Aug 24 23:38:21 CEST 2013 

Hmm... so your problem is public key exchange. It's a fair problem but
I think you can do this using ZAP as it stands today.

On Sat, Aug 24, 2013 at 2:50 PM, Brian Knox <brian.knox at neomailbox.net> wrote:
> +1 for minimal plausible security for 4.
>
> On 8/23/2013 5:21 PM, Pieter Hintjens wrote:
>> Hmm, the use of multiple security mechanisms was one thing we
>> considered and rejected when designing ZMTP 3.0. The problem is that
>> you would have to expand the message API to allow the reader to ask
>> the security level for each message. If you really want a PLAIN and a
>> CURVE mix, you can use two sockets. Allowing more than one mechanism
>> per socket makes _everything_ more complex and it's not clear that the
>> benefits are worth it.
>>
>> I'd really like to get 4.0 released with a minimal plausible security
>> model, and expand on it later.
>>
>> Also, if we did have multiple levels per socket, that would not change
>> ZAP. The server would just make multiple ZAP requests, one per
>> mechanism...
>>
>> -Pieter
>>
>> On Fri, Aug 23, 2013 at 7:44 PM, Jeremy Rossi <jeremy at jeremyrossi.com> wrote:
>>> I have been spending sometime with zeromq and zap.  With this I am thinking about refactoring the libzmq zap / security code a little to add some features and solve a problem I have.
>>>
>>> I think we should be able to stack mechanisms.  So that you are are able to use ZMQ_CURVE and ZMQ_PLAIN  on the same socket.  This would allow secure transport of the username/password with out having to manage the keys.  Also in my use case would allow the zap provider to learn the public key of a client while still providing authentication for that learning process.
>>>
>>> To achieve this I think the ZAP frame generation and processing should be moved to stream_engine.cpp and make calls into the mechanisms to gather the needed information to send to zap endpoint.
>>>
>>> Figured I would start the chat before working on code and get some feedback.
>>>
>>>
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev

More information about the zeromq-dev mailing list