[rabbitmq-discuss] AMQP authentication with RabbitMQ
darien at kindlund.com
Mon Jul 20 20:46:09 BST 2009
Couple of basic questions:
1) So, for reference, would we call this AMQPS, AMQP-SSL, or SAMPQ ?
2) Are you planning on supporting CRLs and/or OCSP for certificate revocation?
3) Can we specify the cipher strength?
> Note that there is no association of subjectDNs and users, so in principle
> any user can use any trusted cert. That should be ok though as long as the
> username/password are treated as sensitive information in the same way as
> the private keys for the client certs.
4) Okay once SSL is supported natively, do you think a future version
of RabbitMQ would be able to map particular subjectDNs to existing
username/password credentials? It would be really nice if clients
could authenticate with only client certs and nothing else. An
example lightweight implementation could simply be:
- Create username/password pairs using rabbitmqctl, where each pair
really represents a "client profile". We assume the password portion
will never be used, so we set it to something ridiculously long.
- Use rabbitmqctl to declare a many-to-one relationship between sets
of subjectDNs and usernames, where each subjectDNs match maps to a
valid username. Conflicting subjectDN entries could be resolved
either by: (a) first match wins (so order matters) or (b) most
specific match wins (and actively disallow duplicate
I'm guessing #4 may actually break the existing AMQP spec, since we're
talking about bypassing username/password authentication. If that's
the case, I'm not sure if you typically wait for the spec to get
ratified before implementing any experimental features, such as this.
More information about the rabbitmq-discuss