[zeromq-dev] Custom authenticator

Charles West crwest at ncsu.edu
Fri Aug 8 22:44:30 CEST 2014


Also, does anyone know of a good way to sign using CurveZMQ keys?  I could
bind them to a second key (used for signing) using a permission signed by a
certificate authority, but that seems clunky.


On Fri, Aug 8, 2014 at 4:42 PM, Charles West <crwest at ncsu.edu> wrote:

> Hello,
>
> I've been digging into the spec for CurveZMQ as part of my efforts to
> build a secure alternative to ROS.  I believe I have figured out what I
> need to do for the next part, but I thought I should ask to see if I am on
> the right track and see if there might be better ways that more experienced
> people know of.
>
> I need to maintain an in-memory list of accepted keys for each socket and
> have connections for each of those sockets accepted/rejected based on the
> associated key stores.
>
> It looks like once security domains are implemented I will be able to make
> something of this nature by creating a security domain for each socket and
> a folder to maintain the allowed certificates for each domain.  In the mean
> time, I could have a context for each socket and its own associated folder
> (clunky, but works).  However, as this is suppose to be a background
> library, it would be much better if it didn't need to have a folder with
> write access to do its own book keeping.
>
> 27/ZAP - ZeroMQ Authentication Protocol and looking at the source for CZMQ
> seems to indicate a better way.  If I am reading it correctly, ZeroMQ will
> send any connection requests over to an inproc server with endpoint
> "inproc://zeromq.zap.01".  This server is normally made automatically by
> CZMQ calls, but it is not necessary that the library creates it.  Instead,
> my code could bind the endpoint and implement its part of the 27/ZAP
> protocol (the curve part, at least).  It can maintain its own list of keys
> and implement the security domains to allow a unique in-memory store to be
> kept for each object.
>
> If I may ask, does this last solution sound right?  Is there any better
> way to do it?
>
> Thank you for your time,
> Charlie West
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140808/3ab1b965/attachment.html>


More information about the zeromq-dev mailing list