[zeromq-dev] CurveZMQ availability plan ?

Wed, 07 Aug 2013 07:16:48 -0700 

Hi Pieter,
I understand from here (http://hintjens.com/blog:45) that CurveZMQ is already available. That's very nice ! I have some questions please : 

1. Which RFC is implemented (26) ? Partially or totally ?
2. Reading the RFC, could you please confirm/correct the following
   assertions :

    1. The CURVE mechanism guaranties both authentification of the
       server by the client and authentification of the client by the
       server (from RFC25 : "The mechanism starts with a HELLO command
       from client to server, and continues with a handshake until each
       party has authenticated the other"). But from here
       (http://hintjens.com/blog:45) : "For now the simplest model is
       that clients are given the server public key, and servers do not
       authenticate clients". Do we have both sides authentication
       today or not ?
    2. In RFC26, § Overall Operation of CurveZMQ, it looks like the
       server actually authenticate the client from its long term
       public key from the INITIATE command, but there is no point
       where the client authenticate the server from its long term
       public key. It is said the server is authenticated in the
       INITIATE command description. But actually it happens earlier,
       in the previous message from the server, which is the WELCOME
       message. So, my conclusion, if I am not wrong, is that there may
       be a typo in the WELCOME message description : "It also sends
       its short term public key, encrypted so only the client can read
       it." should? be "It also sends its long term public key,
       encrypted so only the client can read it." In the § "The WELCOME
       Command" : "A welcome box (144 octets) that encrypts the server
       public connection key S' (32 octets) and the server cookie (96
       octets), from the server long-term key S to the client's
       connection key C'." . I reviewed also for help the CurveCP
       pages, but I am a bit lost.
    3. Can the same server long term public key be used for many
       clients (I assume yes from my understanding) ?
    4. That's the long term public keys which are used for
       authentication and therefore shall be known by the other
       end-point, so transmitted by other means.
    5. How does this CurveZMQ authentication mechanism compares with
       https certificates ?
    6. The short term keys are used for confidentiality


Cheers,


Laurent.


_______________________________________________
zeromq-dev mailing list
[email protected]
http://lists.zeromq.org/mailman/listinfo/zeromq-dev






















					Reply via email to