On Tue, Mar 15, 2011 at 5:05 PM, Paul Fremantle <[email protected]> wrote:
> > > > > On 15 March 2011 11:26, Dimuthu Leelarathne <[email protected]> wrote: > >> 3) I don't understand the SQS secret key part. >>> a) I'd expect to see both an access key and a secret key >>> >> >> I need to clarify something regarding this "access key" and "secret key". >> Right now access key is username and secret key is D for SQS. I think we can >> keep it the same and implement your algorithm with minimal changes to UM. So >> here is the implementation, >> >> 1) Generate X on server on first server start up and store it securely. We >> can encrypt it using server's public key >> 2) When user request for a SQS key, generate D and store it in UM using >> userStore.addUser(String username, String password) as follows. >> userStore.addUser(SecureHash(U+X), D+X) - we store password hashed. >> 3) Show D to user. User's access key is username and user's secret key is >> D >> 4) When user sends SQS requests using D, check the validity as follows. >> userStore.authenticate(SecureHash(U+X), D+X) >> 5) If the user is validated (i.e. authenticate is passed) the signature is >> generated using D+X >> >> If it is done this way we need not show two keys to user. Of cause we can >> show to keys to user as well, i.e. in place of username we can show >> SecureHash(U+X). But is it a requirement? >> > > Dimuthu > > The access key cannot be the username because it is a 20 digit key. See > > http://docs.amazonwebservices.com/AWSSimpleQueueService/2009-02-01/SQSGettingStartedGuide/ > So we need to do something to make it fit that. > Isn't it possible to relax with this constraint? Since users have to get their key specific to the WSO2 MB and we do the authentication. If we use a separate access key we need to associate it with the real user name and used authorization. Otherwise there should be a user in the User store manager with the access key as well and only he has those permissions. > > I'm still not clear if the secret key is stored separately or just > something we calculate from their existing password? > Currently is stored in registry which is insecure. thanks, Amila. > > Paul > >> >> Thanks, >> Dimuthu >> >> >> >> >>> b) I don't expect the user to change these: I thought they were going to >>> be calculated. >>> >>> More feedback when I finally get it to build :-) >>> >>> Paul >>> >>> -- >>> Paul Fremantle >>> CTO and Co-Founder, WSO2 >>> OASIS WS-RX TC Co-chair, VP, Apache Synapse >>> >>> Office: <%2B44%20844%20484%208143>+44 844 484 8143 >>> Cell: <%2B44%20798%20447%204618>+44 798 447 4618 >>> >>> blog: http://pzf.fremantle.org >>> twitter.com/pzfreo >>> [email protected] >>> >>> wso2.com Lean Enterprise Middleware >>> >>> Disclaimer: This communication may contain privileged or other >>> confidential information and is intended exclusively for the addressee/s. If >>> you are not the intended recipient/s, or believe that you may have received >>> this communication in error, please reply to the sender indicating that fact >>> and delete the copy you received and in addition, you should not print, >>> copy, retransmit, disseminate, or otherwise use the information contained in >>> this communication. Internet communications cannot be guaranteed to be >>> timely, secure, error or virus-free. The sender does not accept liability >>> for any errors or omissions. >>> >>> _______________________________________________ >>> Carbon-dev mailing list >>> [email protected] >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> > > > -- > Paul Fremantle > CTO and Co-Founder, WSO2 > OASIS WS-RX TC Co-chair, VP, Apache Synapse > > Office: +44 844 484 8143 > Cell: +44 798 447 4618 > > blog: http://pzf.fremantle.org > twitter.com/pzfreo > [email protected] > > wso2.com Lean Enterprise Middleware > > Disclaimer: This communication may contain privileged or other confidential > information and is intended exclusively for the addressee/s. If you are not > the intended recipient/s, or believe that you may have received this > communication in error, please reply to the sender indicating that fact and > delete the copy you received and in addition, you should not print, copy, > retransmit, disseminate, or otherwise use the information contained in this > communication. Internet communications cannot be guaranteed to be timely, > secure, error or virus-free. The sender does not accept liability for any > errors or omissions. > > _______________________________________________ > Carbon-dev mailing list > [email protected] > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >
_______________________________________________ Carbon-dev mailing list [email protected] http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
