To add to what Chandni mentioned, using self-signed certificates and trusting them is another (though less secure) practice some deployments leverage. This ensures encryption over the wire, but does not allow for clients to validate identity of the Celeborn server components (so potentially liable to DNS spoofing, MITM attacks, etc). This might or might not be acceptable to deployments.
Note that the proposal calls securing with TLS as strongly recommended, but not mandatory. Regards, Mridul On Mon, Sep 18, 2023 at 11:37 AM Chandni Singh <singh.chan...@gmail.com> wrote: > Hi Zhongqiang, > Yes, you are right. TLS implementation relies on digital certificates which > are usually obtained from a trusted CA. > In my experience, many organizations establish their own internal CAs to > issue certificates for their internal networks, thus acting as trusted > issuers for various services within the organization. > > In scenarios where an internal CA infrastructure is not available and we > want to avoid a public trusted CA because they are paid, services may > resort to using self-signed certificates. To establish trust in these > self-signed certificates, clients must be explicitly configured to > recognize them — either by installing them into the client's native trust > store or by using a custom trust store that includes these certificates. > These certificates are securely distributed to all relevant client-hosting > machines using an out-of-band method. Once the trust store is properly > configured, the client-side TLS settings can be adjusted to reference this > trust store, thereby ensuring secure communication > > Chandni > > On Mon, Sep 18, 2023 at 5:18 AM Zhongqiang Chen <zhongqiangc...@apache.org > > > wrote: > > > > > > > > > > > > > Hi Chandni, > > > > I have a question about how to implement TLS handshake and how to obtain > > the certificate? > > Based on my understanding, TLS implementation generally relies on digital > > certificates which are obtained from a trusted certificate authority > (CA). > > It requires some money to obtain a CA certificate. > > Thanks, > > Zhongqiang Chen > > > > > > > > At 2023-09-15 06:34:02, "Chandni Singh" <singh.chan...@gmail.com> wrote: > > >Hello Celeborn community, > > > > > >We have a proposal to add authentication to Celeborn: > > > > > > https://docs.google.com/document/d/1D1U2COYhS3ob7l0t2WghRhBk_Fci9RGx-2FBXA3nvXk/edit#heading=h.m97qw1fpl5kv > > > > > >Would really appreciate feedback from the community on this proposal. > > > > > >Please let me know if there is a particular format that the Celeborn > > >community follows for proposals and I will convert it into that format. > > > > > >Thank you > > >Chandni > > >
