[rabbitmq-discuss] AMQP authentication with RabbitMQ

Darien Kindlund darien at kindlund.com
Mon Jul 20 20:46:09 BST 2009


Hi Matthias,

Great start!

Couple of basic questions:
1) So, for reference, would we call this AMQPS, AMQP-SSL, or SAMPQ ?
2) Are you planning on supporting CRLs and/or OCSP for certificate revocation?
3) Can we specify the cipher strength?

> Note that there is no association of subjectDNs and users, so in principle
> any user can use any trusted cert. That should be ok though as long as the
> username/password are treated as sensitive information in the same way as
> the private keys for the client certs.

4) Okay once SSL is supported natively, do you think a future version
of RabbitMQ would be able to map particular subjectDNs to existing
username/password credentials?  It would be really nice if clients
could authenticate with only client certs and nothing else.  An
example lightweight implementation could simply be:
- Create username/password pairs using rabbitmqctl, where each pair
really represents a "client profile".  We assume the password portion
will never be used, so we set it to something ridiculously long.
- Use rabbitmqctl to declare a many-to-one relationship between sets
of subjectDNs and usernames, where each subjectDNs match maps to a
valid username.  Conflicting subjectDN entries could be resolved
either by: (a) first match wins (so order matters) or (b) most
specific match wins (and actively disallow duplicate
subjectDN/username bindings).

I'm guessing #4 may actually break the existing AMQP spec, since we're
talking about bypassing username/password authentication.  If that's
the case, I'm not sure if you typically wait for the spec to get
ratified before implementing any experimental features, such as this.

Regards,
-- Darien




More information about the rabbitmq-discuss mailing list