[ZODB-Dev] RFC: Proposal for AuthZEO (was SecureZEO one day)

Christian Reis kiko@async.com.br
Fri, 17 Jan 2003 20:14:47 -0200


On Fri, Jan 17, 2003 at 04:22:22PM -0500, Jeremy Hylton wrote:
> >>>>> "CR" == Christian Reis <kiko@async.com.br> writes:
> 
>   CR> Done. I've gone back to looking at the old messages, and I
>   CR> noticed that you suggested SRP. Just so you don't think I
>   CR> ignored this (or pluggable) authentication, I didn't - the
>   CR> protocol section was already done and I shipped it as was.
> 
>   CR> I'll have a look at an implementation I found at
>   CR> http://members.tripod.com/professor_tom/archives/srpsocket.html
>   CR> and see if we can reuse code from there. Does anybody have a
>   CR> comment on it?  There is no license stated, so I would have to
>   CR> write the author asking, but apart from that it doesn't seem
>   CR> like it would be a problem.
> 
> Do you have any idea how hard it will be to integrate the
> implementation with asyncore?  The ZEO client needs to avoid doing
> blocking socket operations from the main thread.

I wasn't thinking about using the socket part, just the implementation
of the SRP protocol. This means I would use the key exchange
mathematics, defined in SRP.py, but not the actual socket server
implementation.  Instead, I would integrate them into the methods as I
described in the RFC.

None of the operations are blocking in this case, the authentication
mechanisms are believed to be secure and even documented in an RFC. The
only issue remaining IMO is the patent issue, which may or not be
considered a grave thing. 

My personal hunch is that we should use it, and I would go ahead and
implement the merge, but since ZODB is a Zope.com product, I think it
would be best if I had your go-ahead on it.

Take care,
--
Christian Reis, Senior Engineer, Async Open Source, Brazil.
http://async.com.br/~kiko/ | [+55 16] 261 2331 | NMFL