[zeromq-dev] curveZMQ: authentication / ability to identify peers

Walter B. Rasmann zeromq.wbr at gmail.com
Sun Nov 15 19:27:25 CET 2015


First of all: Thanks for your reply!

I have read the examples at http://hintjens.com/blog:49 and I like them.
What I miss is a way for my application to distinguish between clients.
Typically "authentication" implies the ability to know "who" exactly is
connecting to you or who you are connecting to.

Currently I can authorize peers to connect to me by putting their public
key into my certificate store directory. So I know all peers, but in my
application code I can't know which peer is connected to me and can't use
this information for logging, authorization etc. At least I haven't found a
way to do that.

On Sun, Nov 15, 2015 at 6:56 PM, Chuck Price <chuck at peloton-tech.com> wrote:

> CurveZMQ provides mutual authentication already. The client provides its
> public key during connection establishment. If the server is authenticating
> clients (you can choose not to) it checks that public key against public
> keys it has registered.
>
> You have to implement the initial registration of clients yourself, in a
> secure fashion. Either you generate the client’s key pair and provide it to
> the client securely, or the client generates its key pair and provides it
> to the server securely. In either registration scenario, you have to
> pre-establish trust in some other way, else the keys you are exchanging
> can’t be trusted.
>
> -chuck
>
> > On Nov 15, 2015, at 9:43 AM, Walter B. Rasmann <zeromq.wbr at gmail.com>
> wrote:
> >
> > I'm considering to use curveZMQ for authentication and connection
> security. Unfortunately I haven't found a way to identify connecting
> clients. That would be needed in order to see if they are authorized to do
> stuff on the server, which seems to be a typical use case whenever
> authentication is used.
> >
> > My questions are:
> >
> > Would it be possible to extend the zeroMQ API to enable reading out
> connection information which can be used for authentication?
> >
> > The following might be quite useful in this context:
> >   - authentication method
> >   - peer IP address
> >   - peer verified public key
> >   - peer verified username
> >
> > Are there any plans to implement something like that?
> >
> > Would that be considered a useful feature?
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20151115/b6b63e86/attachment.htm>


More information about the zeromq-dev mailing list