[rabbitmq-discuss] AMQP authentication with RabbitMQ
Darien Kindlund
darien at kindlund.com
Mon Jul 20 20:46:09 BST 2009
Hi Matthias,
Great start!
Couple of basic questions:
1) So, for reference, would we call this AMQPS, AMQP-SSL, or SAMPQ ?
2) Are you planning on supporting CRLs and/or OCSP for certificate revocation?
3) Can we specify the cipher strength?
> Note that there is no association of subjectDNs and users, so in principle
> any user can use any trusted cert. That should be ok though as long as the
> username/password are treated as sensitive information in the same way as
> the private keys for the client certs.
4) Okay once SSL is supported natively, do you think a future version
of RabbitMQ would be able to map particular subjectDNs to existing
username/password credentials? It would be really nice if clients
could authenticate with only client certs and nothing else. An
example lightweight implementation could simply be:
- Create username/password pairs using rabbitmqctl, where each pair
really represents a "client profile". We assume the password portion
will never be used, so we set it to something ridiculously long.
- Use rabbitmqctl to declare a many-to-one relationship between sets
of subjectDNs and usernames, where each subjectDNs match maps to a
valid username. Conflicting subjectDN entries could be resolved
either by: (a) first match wins (so order matters) or (b) most
specific match wins (and actively disallow duplicate
subjectDN/username bindings).
I'm guessing #4 may actually break the existing AMQP spec, since we're
talking about bypassing username/password authentication. If that's
the case, I'm not sure if you typically wait for the spec to get
ratified before implementing any experimental features, such as this.
Regards,
-- Darien
More information about the rabbitmq-discuss
mailing list