qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Huston <shus...@riverace.com>
Subject RE: Configuration for security.
Date Wed, 06 May 2015 15:06:40 GMT
I'm not aware of the goings on that prompted this topic, but FWIW, I think Alan's proposal
is a really good approach.

> -----Original Message-----
> From: Alan Conway [mailto:aconway@redhat.com]
> Sent: Wednesday, May 06, 2015 10:29 AM
> To: Andrew Stitcher
> Cc: dev@qpid.apache.org; messaging@redhat.com
> Subject: Re: Configuration for security.
> 
> On Tue, 2015-05-05 at 14:57 -0400, Andrew Stitcher wrote:
> > On Tue, 2015-05-05 at 14:21 -0400, Alan Conway wrote:
> > > On Tue, 2015-05-05 at 12:43 -0400, Andrew Stitcher wrote:
> > > > On Tue, 2015-05-05 at 12:13 -0400, Alan Conway wrote:
> > > > > The problem:
> > > > >
> > > > > 1. Insecure defaults are, well, insecure.
> > > > > 2. Secure defaults cause confusion and support overhead esp. in
> dev/testing environments.
> > > > > 3. We need fine-grained security settings (e.g. "allow-plain-with-ssl")
> because security is complicated.
> > > > >
> > > > > Here's what I would suggest:
> > > > >
> > > > > Provide a top-level setting: "secure", default true.
> > > >
> > > > The new proton security APIs are pretty similar to this already -
> > > > you did look at them?
> > > >
> > > > There are actually 2 setting which control authentication and
> > > > encryption.
> > >
> > > That's what I'm getting at. There are already 2, you're adding
> > > another which is 3, then there'll be 4...
> >
> > I did consider those settings pretty carefully and did have them
> > reviewed (potentially by you).
> >
> > I do think they reasonably cover a lot of the security landscape in a
> > simple to understand way, and don't need adding to.
> >
> > However, if you want to add more detailed settings not covered by them
> > that's ok too.
> 
> OK, let me back up and regroup:
> 
> I'm happy with 2 settings auth_required, encryption_required. If we can
> satisfy all users with just those two I will be very happy.
> 
> I am not *proposing* additional settings, but I had the impression we were
> on the verge of adding one allow_plain_with_no_ssl or somesuch. If we can
> avoid that then so much the better.
> 
> IF we do (now or later) need to start adding detailed settings, then they they
> should have a sensible default *based on the values of auth_required and
> encryption_required*, not just a static default.
> 
> Most users should ONLY have to set auth_required and encryption_required
> and be confident that things will usually Just Work. In particular if both are
> false, then all details settings should have permissive defaults. If both are
> true then all detailed settings should have strict defaults. So a secure user
> can assume the standard "denied if not explicitly permitted" for the
> additional settings, and an insecure user can assume "anything goes" without
> having to set a bunch of individual settings.
> 
> But again, if we can satisfy all with just the 2 settings that is ideal and we
> should strive to minimize additional settings.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org For additional
> commands, e-mail: dev-help@qpid.apache.org

Mime
View raw message