Re: [zeromq-dev] C4 - The Good, the Bad and the Ugly?
Hey Esa, Thank you for taking the time to respond! If I understand you correctly, you like the basic properties of the C4 process but had difficulties adjusting it to work on a corporate project that had interfaces not built with it in mind? Does that sound right? Do you think the scheduling issues would still be a problem if your organization was built from the ground up with use of the C4 standard in mind? Thanks, Charlie On Sat, Feb 6, 2021 at 4:06 AM Esa HekmatiZadeh wrote: > Hey Charlie, > > I have used the C4 model in a corporate project in a private company. It > has a lot of brilliant ideas and novel benefits, however there are certain > things that you should be aware of before using it. like other things, it > has pros and cons. In this email I will try to explain my thoughts and > experience about it. Of course, my understanding of C4 might not be fully > valid and correct, I ask others to correct my understanding about it if I > describe something wrong. > > The first positive point that comes to my mind is that it really > appreciates diversity in the team. by its democratic model, it enables > everyone to have equal voices and it really helps collective ownership of > the project. Besides that, it has a very simple and understandable model > for every developer, it's really easy to apply it in a project without > worry about complex branching models and different kinds of tasks. One > novel idea in C4 is that every change should address a problem, > everything's a problem, there is no distinguishing between Task, Story, > Feature, Bug ... > > The above positive points in C4 make it a really useful model in > developing an open-source project, however its too democratic approach may > not be suitable in all environments. > For example, in our case, we had a lot of important issues at hand, a > rigid roadmap defined by product managers, and limited resources. C4 does > not tell you how you should prioritize your tasks in the team. Of course, > the approach that "everything is a problem" would help you a lot to find > out most important problems in the project and address them first, although > it's a little hard to communicate it with product managers, and also, it > requires every team members to have a solid understanding of the business > needs and the whole big picture, it's not an impossible thing, but it > requires a very mature and pro-active culture. Maybe having some additional > principles to prioritizing tasks and making consensus about most important > issues to work on, could improve it in this kind of situation. > > -- > Best Regards, > Esa > > > On Fri, Feb 5, 2021 at 7:59 PM Charles West wrote: > >> Hello! >> >> I'm a longtime user of ZMQ and fan of the project. I've been reviewing >> Pieter's writings about the C4 process and would like to use it for the >> (robotics/Godot/machine learning based) open source project I am hoping to >> launch in the next few months. >> >> Before I commit to that though, I was wondering if the awesome people of >> the ZMQ mailing list might be willing to tell me about their experience? >> >> Does it work as well as Pieter said it did? >> >> Biggest advantages over other processes you've worked with? >> >> Biggest problems you've run into? >> >> Would you recommend it for a new project? >> >> Thanks, >> Charlie West >> ___ >> zeromq-dev mailing list >> zeromq-dev@lists.zeromq.org >> https://lists.zeromq.org/mailman/listinfo/zeromq-dev >> > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] C4 - The Good, the Bad and the Ugly?
Hello! I'm a longtime user of ZMQ and fan of the project. I've been reviewing Pieter's writings about the C4 process and would like to use it for the (robotics/Godot/machine learning based) open source project I am hoping to launch in the next few months. Before I commit to that though, I was wondering if the awesome people of the ZMQ mailing list might be willing to tell me about their experience? Does it work as well as Pieter said it did? Biggest advantages over other processes you've worked with? Biggest problems you've run into? Would you recommend it for a new project? Thanks, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org https://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Any way to get key used for router connection
Hey Pieter, Thank you. Since that functionality isn't available in the Ubuntu package and I don't think the trust would currently be justified, I ended up using libsodium directly and just signing the messages before they were forwarded. Since the resulting messages will be publicly distributed, the loss of encryption hopefully won't matter. I've submitted a request to the Ubuntu maintainers to have Laszlo's Debian package added to the repositories. I am hopeful that it will be soon. Thanks again, Charlie West On Tue, Aug 18, 2015 at 3:58 AM, Pieter Hintjens p...@imatix.com wrote: Hi Charlie, Indeed the support for user IDs appeared in 4.1. Typically the authenticator uses the client public key to read a certificate and extract the user id from that. As a workaround you can simply send metadata yourself and maintain state per client connection. You do then have to trust authenticated clients to behave. -Pieter On Mon, Aug 17, 2015 at 5:21 PM, Charles West crw...@ncsu.edu wrote: Hey Arnaud, Thanks. That makes sense, but the zmq_msg_gets function isn't available in ZMQ 4.0.4 (I wish it was!). Laszlo has ported 4.1 to Debian as the libzmq5-dev package and I just submitted a request to Ubuntu to have the package ported. Till then, I guess the choice is not doing per connection things until the package is out or including the ZMQ 4.1 version as part of the project to be compiled/linked to. Thanks again, Charlie West On Mon, Aug 17, 2015 at 10:48 AM, Arnaud Kapp kapp.a...@gmail.com wrote: Hello, There is an easy way to do what you want, but it isn't obvious at first. ZAP is actually allowed to set a User-Id meta-data property for all messages from a connection. This means that your ZAP code can chose to set the curve key as the user-id for the connection. To set a user-id property from the ZAP handling code, you simply have to specify it in the ZAP reply you write. You will then be able to retrieve the user-id (which would be the curve public key, if you chose so) by doing something like zmq_msg_gets(msg, User-Id); Hope this helps. On Mon, Aug 17, 2015 at 4:03 PM, Charles West crw...@ncsu.edu wrote: Hey Pieter, Thank you for taking the time to respond. I have read both of the blog entries, the source for zauth and based my code off of the specification for the ZAP protocol. The closest/most relevant documentation I saw was your discussion with Stephen Eley in the Confirm authentication and retrieve metadata? thread. If I may ask, is there some obvious way that I am missing to get the key associated with a connection with a Router in ZMQ 4.0.4 (the zmq available in the Ubuntu repositories)? Alternatively, is there any good way to figure out which router connection a ZAP request refers to? I apologize if I have missed something obvious, but the examples I have seen seem focused on go/no go authentication rather than keys with different levels of permissions. Thanks, Charlie West On Mon, Aug 17, 2015 at 6:35 AM, Pieter Hintjens p...@imatix.com wrote: Have you studied the security examples I wrote? - read http://hintjens.com/blog:48 and http://hintjens.com/blog:49 - don't use ROUTER identity, the field is really a routing key and has nothing to do with peer identity - look at how CZMQ's zauth works, and look at the RFC for the ZAP protocol (http://rfc.zeromq.org/spec:27) On Mon, Aug 17, 2015 at 5:43 AM, Charles West crw...@ncsu.edu wrote: Hello! I'm building the second version of a open source differential GPS sharing software (pylongps.com). I've run into a bit of a snag though. Does anyone know of a good way to get the key associated with a CURVE router connection? ZAP authentication can check if a key is on the whitelist, but it doesn't appear to provide more than a go/no go. I need to be able to check the key associated with a specific ROUTER connection so that I can limit what the owner of a particular connection key can do (people with one key can't pretend to be someone else). My original idea was to use the ZMQ_IDENTITY field to set the connection ID to a superset of the connection key, then just have the ZAP handler verify the connection ID contained the key at the beginning. Further ID processing would then be done via the connection ID at the router socket. However, the ZMQ_IDENTITY set does not show up in the ZAP messages, so this isn't possible. Further reading of the mailing list indicates that the ZMQ_IDENTITY isn't suppose to propagate like that anyway. The brute force solution would be to force a authentication exchange using a signing key and a nonce at the router (router sends nonce, client signs or encrypts
Re: [zeromq-dev] Any way to get key used for router connection
Hey Arnaud, Thanks. That makes sense, but the zmq_msg_gets function isn't available in ZMQ 4.0.4 (I wish it was!). Laszlo has ported 4.1 to Debian as the libzmq5-dev package and I just submitted a request to Ubuntu to have the package ported. Till then, I guess the choice is not doing per connection things until the package is out or including the ZMQ 4.1 version as part of the project to be compiled/linked to. Thanks again, Charlie West On Mon, Aug 17, 2015 at 10:48 AM, Arnaud Kapp kapp.a...@gmail.com wrote: Hello, There is an easy way to do what you want, but it isn't obvious at first. ZAP is actually allowed to set a User-Id meta-data property for all messages from a connection. This means that your ZAP code can chose to set the curve key as the user-id for the connection. To set a user-id property from the ZAP handling code, you simply have to specify it in the ZAP reply you write. You will then be able to retrieve the user-id (which would be the curve public key, if you chose so) by doing something like zmq_msg_gets(msg, User-Id); Hope this helps. On Mon, Aug 17, 2015 at 4:03 PM, Charles West crw...@ncsu.edu wrote: Hey Pieter, Thank you for taking the time to respond. I have read both of the blog entries, the source for zauth and based my code off of the specification for the ZAP protocol. The closest/most relevant documentation I saw was your discussion with Stephen Eley in the Confirm authentication and retrieve metadata? thread. If I may ask, is there some obvious way that I am missing to get the key associated with a connection with a Router in ZMQ 4.0.4 (the zmq available in the Ubuntu repositories)? Alternatively, is there any good way to figure out which router connection a ZAP request refers to? I apologize if I have missed something obvious, but the examples I have seen seem focused on go/no go authentication rather than keys with different levels of permissions. Thanks, Charlie West On Mon, Aug 17, 2015 at 6:35 AM, Pieter Hintjens p...@imatix.com wrote: Have you studied the security examples I wrote? - read http://hintjens.com/blog:48 and http://hintjens.com/blog:49 - don't use ROUTER identity, the field is really a routing key and has nothing to do with peer identity - look at how CZMQ's zauth works, and look at the RFC for the ZAP protocol (http://rfc.zeromq.org/spec:27) On Mon, Aug 17, 2015 at 5:43 AM, Charles West crw...@ncsu.edu wrote: Hello! I'm building the second version of a open source differential GPS sharing software (pylongps.com). I've run into a bit of a snag though. Does anyone know of a good way to get the key associated with a CURVE router connection? ZAP authentication can check if a key is on the whitelist, but it doesn't appear to provide more than a go/no go. I need to be able to check the key associated with a specific ROUTER connection so that I can limit what the owner of a particular connection key can do (people with one key can't pretend to be someone else). My original idea was to use the ZMQ_IDENTITY field to set the connection ID to a superset of the connection key, then just have the ZAP handler verify the connection ID contained the key at the beginning. Further ID processing would then be done via the connection ID at the router socket. However, the ZMQ_IDENTITY set does not show up in the ZAP messages, so this isn't possible. Further reading of the mailing list indicates that the ZMQ_IDENTITY isn't suppose to propagate like that anyway. The brute force solution would be to force a authentication exchange using a signing key and a nonce at the router (router sends nonce, client signs or encrypts it and sends it back). Thats basically doing a whole handshake on top of the ZMQ_CURVE protocol, which seems rather overkill. Does anyone know of a better approach? Thanks, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev -- Kapp Arnaud - Xaqq ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Any way to get key used for router connection
Hello! I'm building the second version of a open source differential GPS sharing software (pylongps.com). I've run into a bit of a snag though. Does anyone know of a good way to get the key associated with a CURVE router connection? ZAP authentication can check if a key is on the whitelist, but it doesn't appear to provide more than a go/no go. I need to be able to check the key associated with a specific ROUTER connection so that I can limit what the owner of a particular connection key can do (people with one key can't pretend to be someone else). My original idea was to use the ZMQ_IDENTITY field to set the connection ID to a superset of the connection key, then just have the ZAP handler verify the connection ID contained the key at the beginning. Further ID processing would then be done via the connection ID at the router socket. However, the ZMQ_IDENTITY set does not show up in the ZAP messages, so this isn't possible. Further reading of the mailing list indicates that the ZMQ_IDENTITY isn't suppose to propagate like that anyway. The brute force solution would be to force a authentication exchange using a signing key and a nonce at the router (router sends nonce, client signs or encrypts it and sends it back). Thats basically doing a whole handshake on top of the ZMQ_CURVE protocol, which seems rather overkill. Does anyone know of a better approach? Thanks, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Per publisher filter
Thank you! On Fri, May 15, 2015 at 6:46 AM, Pieter Hintjens p...@imatix.com wrote: Take a look at Malamute, which is a lightweight broker you can embed as a thread in a process. It does PLAIN authentication which we could extend to CURVE. https://github.com/zeromq/malamute On Thu, May 14, 2015 at 11:40 PM, Steve Eley sfe...@gmail.com wrote: That sounds like a use case for authentication. You could either come up with some sort of key distribution/verification scheme and sign every message with a sender's unique key, then check it before accepting a message as valid; or use the built-in curve encryption with client certificates and a custom ZAP handler. With the latter, you can use zmq_msg_gets (only in ZeroMQ 4.1 and later) to check the User ID set at connection handshake with the filter string. If they don't match, disconnect and revoke the malicious sender's certificate. Have Fun, Steve Eley On May 14, 2015, at 4:54 PM, Charles West crw...@ncsu.edu wrote: Hello, Is there any way to hack together per publisher filters? I'm working on a application to distribute differential GPS updates from low cost single frequency GPS basestations. The idea is that someone can buy a cheap basestation module and provide differential GPS corrections to not just their hardware, but that of everyone around them. My original thought for how to implement this had the basestation creating a PUB socket and registering with one or more proxies/aggregators which would then subscribe to their corrections feed. Someone trying to find a nearby basestation to subscribe to connects to the proxy, gets a list of the close by ones and then subscribes to the proxy with the associated basestation ID as the filter. The problem I am running into is that I don't see any way to prevent a malicious user from disrupting not just their stream but everyone else's too. Subscriber sockets don't keep track of which publisher created any given message, so I don't have any way to prevent publishers from preappending someone else's basestation ID to the messages they publish. That means a single user could corrupt everyone else's stream. Is there any option like ROUTER for subscribers, where messages get IDs based on who sent them? Alternatively, is there some way to make a per publisher filter? I don't think XSUB can do either of those. Thanks, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Per publisher filter
Hello, Is there any way to hack together per publisher filters? I'm working on a application to distribute differential GPS updates from low cost single frequency GPS basestations. The idea is that someone can buy a cheap basestation module and provide differential GPS corrections to not just their hardware, but that of everyone around them. My original thought for how to implement this had the basestation creating a PUB socket and registering with one or more proxies/aggregators which would then subscribe to their corrections feed. Someone trying to find a nearby basestation to subscribe to connects to the proxy, gets a list of the close by ones and then subscribes to the proxy with the associated basestation ID as the filter. The problem I am running into is that I don't see any way to prevent a malicious user from disrupting not just their stream but everyone else's too. Subscriber sockets don't keep track of which publisher created any given message, so I don't have any way to prevent publishers from preappending someone else's basestation ID to the messages they publish. That means a single user could corrupt everyone else's stream. Is there any option like ROUTER for subscribers, where messages get IDs based on who sent them? Alternatively, is there some way to make a per publisher filter? I don't think XSUB can do either of those. Thanks, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Capture RAW TCP segments for tunnelling?
Hello, If I may ask, is there any way to bind a CURVE socket so that all if the TCP packets it would send/receive can be captured and put into a tunnel? Alternatively, is there some way to setup a zmq_proxy so that it transparently forwards CURVE encrypted traffic (without having access to it)? Thanks, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Secure proxies
Hey Steve, That is a fair point (and thank you for answering). By encrypting the stream using keys established between the two endpoints you could bypass the flow of open data across the proxy. This has some costs associated with it, however. The client/server other side of the proxy needs to be aware that the proxy is acting on behalf of someone else and that standard ZMQ security cannot be used. You also have to manually implement your encryption/security protocol (which historically has been prone to errors). If you could intercept the raw frames from a ZMQ socket and do IP in IP routing (client - proxy - other client) to deliver them to the other side of the proxy it would still be possible to use the ZMQ security features without modification. The client on the other side of the proxy would not need to be aware that the proxy was acting on behalf of another computer. It would just appear to be one computer which had two software nodes. The question is, how could you grab the segments coming to/from a secure ZMQ and pass them to an internal process? In other words, how can you bind a secure ZMQ socket (with its own key that the proxy can't access) and have it appear to the rest of the world that the port that was bound is on the proxy. I've been thinking about it a lot today and I think I've come up with one approach that would work except there is no way to intercept the outbound traffic from the ZMQ socket without needing to bind 1 loopback socket for every flow (binding the ZMQ socket to a loopback address and using a RAW_SOCKET to do package encapsulation). Does anyone know if there is a way to portably divert the the TCP segments that ZMQ sends? Thanks, Charlie West On Tue, Apr 14, 2015 at 2:54 PM, Steve Eley sfe...@gmail.com wrote: On Apr 14, 2015, at 1:52 PM, Charles West crw...@ncsu.edu wrote: The simple way to act as a proxy would be just to make a ZMQ socket on each side and forward the data. The problem with that is that this would require the data to be unencryped on one side, copied and reencrypted. This introduces both overhead and allows the proxy to snoop (bad for general principles). I might be missing something obvious, but why would it require that? The proxy might need to be able to read *addressing* information to do its job, but why would it need to see the payload? Just establish a header/body separation, encrypt the header with a shared key that's readable by your whole routing system, and encrypt the body with keys that are only known to the endpoints. Have Fun, Steve Eley ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Custom authenticator
Awesome. My handler seems to be getting messages. Now to get the rest of the design build around it. Thanks for the help! On Sat, Aug 9, 2014 at 5:49 PM, Pieter Hintjens p...@imatix.com wrote: You can look at the test cases in libzmq to see examples of custom ZAP handlers (CZMQ is only one option, you can indeed write your own handlers). As for signing keys... there's been a long thread on certificate formats on this list, the upshot wasn't clear. On Fri, Aug 8, 2014 at 10:44 PM, Charles West crw...@ncsu.edu wrote: Also, does anyone know of a good way to sign using CurveZMQ keys? I could bind them to a second key (used for signing) using a permission signed by a certificate authority, but that seems clunky. On Fri, Aug 8, 2014 at 4:42 PM, Charles West crw...@ncsu.edu wrote: Hello, I've been digging into the spec for CurveZMQ as part of my efforts to build a secure alternative to ROS. I believe I have figured out what I need to do for the next part, but I thought I should ask to see if I am on the right track and see if there might be better ways that more experienced people know of. I need to maintain an in-memory list of accepted keys for each socket and have connections for each of those sockets accepted/rejected based on the associated key stores. It looks like once security domains are implemented I will be able to make something of this nature by creating a security domain for each socket and a folder to maintain the allowed certificates for each domain. In the mean time, I could have a context for each socket and its own associated folder (clunky, but works). However, as this is suppose to be a background library, it would be much better if it didn't need to have a folder with write access to do its own book keeping. 27/ZAP - ZeroMQ Authentication Protocol and looking at the source for CZMQ seems to indicate a better way. If I am reading it correctly, ZeroMQ will send any connection requests over to an inproc server with endpoint inproc://zeromq.zap.01. This server is normally made automatically by CZMQ calls, but it is not necessary that the library creates it. Instead, my code could bind the endpoint and implement its part of the 27/ZAP protocol (the curve part, at least). It can maintain its own list of keys and implement the security domains to allow a unique in-memory store to be kept for each object. If I may ask, does this last solution sound right? Is there any better way to do it? Thank you for your time, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Custom authenticator
Hello, I've been digging into the spec for CurveZMQ as part of my efforts to build a secure alternative to ROS. I believe I have figured out what I need to do for the next part, but I thought I should ask to see if I am on the right track and see if there might be better ways that more experienced people know of. I need to maintain an in-memory list of accepted keys for each socket and have connections for each of those sockets accepted/rejected based on the associated key stores. It looks like once security domains are implemented I will be able to make something of this nature by creating a security domain for each socket and a folder to maintain the allowed certificates for each domain. In the mean time, I could have a context for each socket and its own associated folder (clunky, but works). However, as this is suppose to be a background library, it would be much better if it didn't need to have a folder with write access to do its own book keeping. 27/ZAP - ZeroMQ Authentication Protocol and looking at the source for CZMQ seems to indicate a better way. If I am reading it correctly, ZeroMQ will send any connection requests over to an inproc server with endpoint inproc://zeromq.zap.01. This server is normally made automatically by CZMQ calls, but it is not necessary that the library creates it. Instead, my code could bind the endpoint and implement its part of the 27/ZAP protocol (the curve part, at least). It can maintain its own list of keys and implement the security domains to allow a unique in-memory store to be kept for each object. If I may ask, does this last solution sound right? Is there any better way to do it? Thank you for your time, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Custom authenticator
Also, does anyone know of a good way to sign using CurveZMQ keys? I could bind them to a second key (used for signing) using a permission signed by a certificate authority, but that seems clunky. On Fri, Aug 8, 2014 at 4:42 PM, Charles West crw...@ncsu.edu wrote: Hello, I've been digging into the spec for CurveZMQ as part of my efforts to build a secure alternative to ROS. I believe I have figured out what I need to do for the next part, but I thought I should ask to see if I am on the right track and see if there might be better ways that more experienced people know of. I need to maintain an in-memory list of accepted keys for each socket and have connections for each of those sockets accepted/rejected based on the associated key stores. It looks like once security domains are implemented I will be able to make something of this nature by creating a security domain for each socket and a folder to maintain the allowed certificates for each domain. In the mean time, I could have a context for each socket and its own associated folder (clunky, but works). However, as this is suppose to be a background library, it would be much better if it didn't need to have a folder with write access to do its own book keeping. 27/ZAP - ZeroMQ Authentication Protocol and looking at the source for CZMQ seems to indicate a better way. If I am reading it correctly, ZeroMQ will send any connection requests over to an inproc server with endpoint inproc://zeromq.zap.01. This server is normally made automatically by CZMQ calls, but it is not necessary that the library creates it. Instead, my code could bind the endpoint and implement its part of the 27/ZAP protocol (the curve part, at least). It can maintain its own list of keys and implement the security domains to allow a unique in-memory store to be kept for each object. If I may ask, does this last solution sound right? Is there any better way to do it? Thank you for your time, Charlie West ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev