Thanks for clarifying that. At the moment, I'm using the directory for discovery so I can exchange keys through there at the same time as I discover peer ensuring that this edge case never happens. It's like hitting two birds with one stone :-)
André > On Jan 19, 2015, at 10:23 AM, Pieter Hintjens <[email protected]> wrote: > >> On Mon, Jan 19, 2015 at 2:41 PM, André Caron <[email protected]> wrote: >> >> If a peer is rejected by curve authentication, does ZMQ automatic >> reconnection still work (and will it successfully connect once the "server" >> receives the public key)? > > This is the part I'm not happy with. The client side used to retry. > However that is pathological in normal cases and so now it doesn't any > more. > > What I'd suggested was rather to use the certificate server live, for > authentication. This is easy enough using ZAP. There's an example in > the reference implementation for the ZAP spec, see > https://github.com/zeromq/rfc/blob/master/src/spec_27.c > > This adds a little latency to connections. Your ZAP handler could > trivially cache certificates so that this only hits the first time. > > Such a directory manager is a missing piece of the security puzzle. > > -Pieter > _______________________________________________ > zeromq-dev mailing list > [email protected] > http://lists.zeromq.org/mailman/listinfo/zeromq-dev _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
