[zeromq-dev] Custom authenticator

Charles West crwest at ncsu.edu
Fri Aug 8 22:42:17 CEST 2014


I've been digging into the spec for CurveZMQ as part of my efforts to build
a secure alternative to ROS.  I believe I have figured out what I need to
do for the next part, but I thought I should ask to see if I am on the
right track and see if there might be better ways that more experienced
people know of.

I need to maintain an in-memory list of accepted keys for each socket and
have connections for each of those sockets accepted/rejected based on the
associated key stores.

It looks like once security domains are implemented I will be able to make
something of this nature by creating a security domain for each socket and
a folder to maintain the allowed certificates for each domain.  In the mean
time, I could have a context for each socket and its own associated folder
(clunky, but works).  However, as this is suppose to be a background
library, it would be much better if it didn't need to have a folder with
write access to do its own book keeping.

27/ZAP - ZeroMQ Authentication Protocol and looking at the source for CZMQ
seems to indicate a better way.  If I am reading it correctly, ZeroMQ will
send any connection requests over to an inproc server with endpoint
"inproc://zeromq.zap.01".  This server is normally made automatically by
CZMQ calls, but it is not necessary that the library creates it.  Instead,
my code could bind the endpoint and implement its part of the 27/ZAP
protocol (the curve part, at least).  It can maintain its own list of keys
and implement the security domains to allow a unique in-memory store to be
kept for each object.

If I may ask, does this last solution sound right?  Is there any better way
to do it?

Thank you for your time,
Charlie West
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140808/21865e9e/attachment.html>

More information about the zeromq-dev mailing list