I’m new to 0MQ, so please excuse my ignorance about it.  I read the guide book, 
the blog entries on CurveZMQ, looked at the directory of 0MQ GitHub 
repositories, and googled around to see if anyone had added a D/TLS layer into 
0MQ. I didn’t find much of anything.

I did find the email below from 4 years ago, that seems to answer a similar 
question from back then.  Is it still the situation that 0MQ doesn’t readily 
support using D/TLS to secure its communications?

I ask because we have an existing PKI managing more than 2000 distributed 
identities and we use D/TLS to secure our mutually authenticated (the 
“Ironhouse Pattern") point-to-point communications.  If it matters, we use 
Ephemeral Diffie-Hellman key exchanges with long term RSA keys.

From my reading, 0MQ looks really appealing to get away from low-level 
programming OpenSSL D/TLS, UDP, and TCP sockets, but not being able to use our 
existing security infrastructure would probably be a deal breaker.

I’d greatly appreciate any information on the current state of affairs of 0MQ 
security layers and whether or not adding D/TLS support to 0MQ is reasonable or 
not.

Thanks!
John

From ph at imatix.com  Fri Oct  4 00:46:06 2013
From: ph at imatix.com (Pieter Hintjens)
Date: Fri, 4 Oct 2013 00:46:06 +0200
Subject: [zeromq-dev] Using other kinds of certificates with CurveZMQ
In-Reply-To: 
<f321e1ddd74b4747be218256f9b069f313064...@gq1-ex10-mb05.y.corp.yahoo.com>
References: 
<f321e1ddd74b4747be218256f9b069f313064...@gq1-ex10-mb05.y.corp.yahoo.com>
Message-ID: <CADL5_shGNyOg8=nbsqw7eobnu4qskd_1pvwxp4pjda3mjep...@mail.gmail.com>

On Fri, Oct 4, 2013 at 12:34 AM, Steve Carney <carney at yahoo-inc.com> wrote:

> I have an infrastructure with existing certificates that is not ready to
> move to CurveCP yet.    Does CurveZMQ have an underlying framework (due
> using SASL) that I could use to implement SSL authentication (with and
> without encryption)?

No, CurveZMQ has its own properties. I've described this superficially
here: http://hintjens.com/blog:48

> I also have simple proprietary certificates that I?d like to support as part
> of establishing a client-server connection.  A simple cleartext key exchange
> would be sufficient.  Could CurveZMQ be leveraged for this as well?

Not directly... The keys that CurveZMQ uses are specific to the
elliptic curve cryptography used.  However you could use your existing
certificates and some (non-ZeroMQ) transport to exchange CurveZMQ
certificates.

-Pieter
_______________________________________________
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
https://lists.zeromq.org/mailman/listinfo/zeromq-dev

Reply via email to