[zeromq-dev] Topics for ZMTP 3.0
Pieter Hintjens
ph at imatix.com
Fri Jun 7 13:10:16 CEST 2013
On Fri, Jun 7, 2013 at 11:16 AM, Ciprian Dorin Craciun
<ciprian.craciun at gmail.com> wrote:
> I've quickly looked through the ZAP specification (27), and at a
> first glance I have the following observations:
Thanks for the feedback, this is great.
The ZAP text was missing some links, including:
* http://rfc.zeromq.org/spec:23/ZMTP
* http://rfc.zeromq.org/spec:26/CURVEZMQ
I've made changes based on your comments:
* sequence number -> request id (blob)
* clarified strings (max. 255 chars, ASCII only)
> Why shouldn't the specification allow any number of
> fragments
True. I'll do that. It makes PLAIN authentication simpler, which is good.
> (C) Instead of (or before the) CURVE mechanism --- which I find
> very underspecified
RFCs 23, 24, 25, 26 are relevant. I'll make sure they're properly
reference in ZAP.
> a method like DIGEST would prove more useful, being a middle ground
> between plain-text and fully cryptographic.
I didn't think it was worth making a DIGEST mechanism but if someone
wants to design this, we can definitely include it.
> (D) I think there should be a way to obtain mutual authentication,
> where also the client is able to authenticate the server.
It depends on the mechanism, ZAP is in fact agnostic ("server" means
libzmq). Both PLAIN and CURVE however use the model where the client
connects to one server only, and authenticates by assertion (in PLAIN,
by specifying the TCP endpoint, and in CURVE, by specifying the server
long-term public key).
> (E) What is the difference between it and SASL? Or better said
> why can't we rely on SASL, and provide a SASL adaptation on-top of
> ZeroMQ, thus we could re-use a lot of existing solutions.
The answer will be in the ZMQP 3.0 spec. We are using a SASL-like
model but not SASL, which is IMO not a good fit for ZMTP.
I specifically did not want to add SASL library dependencies, of any
kind, into libzmq. With ZAP one could talk to a SASL backend. However
this isn't a rich protocol, there's no challenge/response, just an
OK/NOK for a given set of credentials.
> I hope nobody interprets the above as "bashing" on ZAP, it's a
> good start in having a common protocol over ZeroMQ, I just think that
> it should offer more "out-of-the-box".
Bashing ZAP is good! What we need are real attempts to connect libzmq
to authentication so we can see what's failing. The RFC can evolve
until stable, and we can make new drafts at any time.
Thanks for the feedback, I'm publishing an update right now.
-Pieter
More information about the zeromq-dev
mailing list