[Amqp-security-list] Re: MInutes from 12/1 AMQP Security call

[Ted Ross]

Subbu,

I agree that the header signature should be close to the header.  The 
problem I'm seeing is that if the signature is part of the header, 
intermediaries will need to modify the header before calculating the 
signature.  Rather than doing a quick SHA1 or MD5 across the header 
segment as it arrives, the implementer will either have to make a 
modified copy of the segment, or will have to parse the header and hash 
it in a piecemeal fashion.  Bear in mind that a broker is going to be 
checking headers at rates of millions per second.  Adding computational 
complexity will introduce performance bottlenecks.

I still think that having a separate signature-context segment 
immediately following the headers is a better approach.  The signature 
is still close to the headers and the computation of the header 
signature does not need to be embedded into the header-parsing function.

We can discuss this during today's call.

-Ted

Subbu Srinivasan (ssriniva) wrote:
> Hi Ted,
> 	After some perusal I think in my opinion it is logical that the
> header signature be close to the 
> Actual header itself. Otherwise intermediaries will have to compute the
> signature and then wait for the context frame
> before u can validate the signature.
>
> 	Implementation errors can be handled during testing of the
> product and hence should obviate the need for 
> This change.
>
> Subbu S
>
>
> -----Original Message-----
> From: Ted Ross [mailto:tross at redhat.com] 
> Sent: Monday, December 03, 2007 7:20 AM
> To: amqp-security-list at redhat.com
> Cc: Ted Ross; Subbu Srinivasan (ssriniva); Arnaud Simon
> Subject: MInutes from 12/1 AMQP Security call
>
> On the call:  Subbu, Arnaud, Ted
>
> The time for this call has been changed to a more convenient time for
> the participants.  It will now occur on Thursdays at 1:00 PM EST.  The
> phone number will be provided prior to the next meeting on the 6th.
>
> A new Wiki page has been set up in the AMQP "In Progress" area for draft
> security documents.  The url is
>
>     https://jira.amqp.org/confluence/display/AMQP/Working+Documents
>
>
> Discussion of Subbu's encryption/signing proposal:
>
> There is general agreement with the structure of the proposal.
>
> Actions:
>
> - Subbu will consider alternatives to carrying the header signature in
> the header segment itself (point 3 in Ted's emailed comments).
>
> Issues:
>
> - The team needs to further consider to what extent AMQP aids in key
> exchange.  It was noted that both clients and the broker need to be able
> to validate signed headers.  If keyed-hashes (HMAC) are used to sign the
> headers, then the hash keys must be exchanged among the clients and the
> broker.  Protocol support for such a key exchange cannot be left to the
> implementer.
>
> Discussion of Ted's authentication proposal:
>
> It was decided that the namespace for realms shall be flat
> (non-hierarchical) unless specific requirements are raised that call for
> realm hierarchy.
>
> Actions:
>
> - Ted will consider the possibility of using the "Security-Context" from
> the encryption proposal as a place to store realm-access information.
>
> - Ted will provide more protocol detail.
>