On Thu, Aug 8, 2013 at 4:48 PM, Laurent Alebarde <[email protected]> wrote: > Some other parts remain mysterious to me in > their justification, but that's security aspects and I have just to say > "amen".
My advice is to read the CurveCP site about 10 times over a week or two. It really takes some digesting, and then it will become clear. > "So to create a Box [X](C->S) we sign using c and encrypt using S. To open > the box we authenticate using C and open using s." Is correct. Box [X](C'->S') would be signed using c' and encrypted using S'. > Concerning ZAP, I have re-read the RFC27 and > https://github.com/zeromq/rfc/blob/master/src/spec_27.c. Both the use cases > and how to use it are unclear to me. BTW, it seems from RFC26 that CurveZMQ > provides server and client authentication. So, why would we need ZAP ? There > is something I don't catch. One client socket can connect to one server and the server public key is assertive, i.e. you set it before connecting using a socket option, and if the key is invalid the connection will not succeed. One server socket can accept many client connections and authentication happens out-of-band, invisibly to the socket reader. That happens via ZAP. -Pieter _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
