The simple answer would be a shared secret, provided in the
configuration of the agent. So long as the master can provide the
shared secret to the agent, it'll respond appropriately. Client-ssl
certs could work, though recent root-certificate-authority hacks may
make that less than perfect. But ultimately, I think the same sorts
of auth options that any web-app has available to it could be used, so
long as nothing is sent in clear-text.
Christian.
On 19-Jan-09, at 11:48 , Wendy Smoak wrote:
In the current implementation, it seems that an agent will accept
requests from anybody, though it will only send responses to the
master url in its configuration file.
I'd like that to change so that an agent will only act on requests
from its master, but just comparing the urls doesn't seem good enough.
How can the agent be sure that the server making the request really is
who it says it is?
--
Wendy
Christian E. Gruber - President / Senior Consultant
email: [email protected]
Isráfíl Consulting Services Corporation
mobile: +1 (289) 221-9839
"Keenness of understanding is due to keenness of vision..."
phone: +1 (905) 640-1119
