Re: [tryton-dev] Aims for Secure Communication

Mon, 25 Jan 2010 03:38:22 -0800 

Hi Udo,

> But the question for me is, if it is needed to be done in Tryton self?
> 
> Is there no more flexible way to do it on the OS communication layer
> instead of the application layer, like ssh-tunneling, VPN, Apache?

Now this is opening a quite different, new discussion:

Should Tryton implement secure communication at all?

I think so, for several reasons:

* Tryton already has some kind of secure communication. Removing it
  would leave a bad imression to the users.

* Users are used to applications implementing secure communications. So
  we are meeting the users expectation here.

* Using VPN would be an option iff we where in IPv6-world -- which
  implements IPSec per default. But IPv6 is still yet to come, so this
  is not really an option.

* Every other technique is much more difficult to implement.

* Tryton-Service providers will have a *hard* time helping their
  customers to implement secure communications. Since they not only
  need to supprot tryton, but also the client OS :-(

IMHO secure communications should be available as easy as possible
(without  sacrificing security).

Some comments about the techniques you mentioned:

* ssh tunneling IMHO is not a good option:
  - It would require additional configuration *per user*.
  - This would add yet another authentication layer.
  - One would need to try hard to configure it right so the user can
    only use the tunnel but not log in. This adds complexity.
  - If the Tryton server is running on Windows, ssh is not available as
    easy as in *nix systems.

* Apache would only help on the server side, the client would still have
  to implement SSL.

* Apache only supports HTTPS, but netrpc is transmitted using its own
  protocol. So Apache would not be of any help here. Additionally this
  would make setting up a secure communication for tryton much more
  difficult, since one would have to configure Apache, too.

-- 
Schönen Gruß - Regards
Hartmut Goebel
Dipl.-Informatiker (univ.), CISSP, CSSLP

Goebel Consult
Spezialist für IT-Sicherheit in komplexen Umgebungen
http://www.goebel-consult.de

Monatliche Kolumne: http://www.cissp-gefluester.de/
Goebel Consult mit Mitglied bei http://www.7-it.de

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to