qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Conway <acon...@redhat.com>
Subject Re: Configuration for security.
Date Wed, 06 May 2015 14:28:38 GMT
On Tue, 2015-05-05 at 14:57 -0400, Andrew Stitcher wrote:
> On Tue, 2015-05-05 at 14:21 -0400, Alan Conway wrote:
> > On Tue, 2015-05-05 at 12:43 -0400, Andrew Stitcher wrote:
> > > On Tue, 2015-05-05 at 12:13 -0400, Alan Conway wrote:
> > > > The problem:
> > > > 
> > > > 1. Insecure defaults are, well, insecure.
> > > > 2. Secure defaults cause confusion and support overhead esp. in dev/testing
environments.
> > > > 3. We need fine-grained security settings (e.g. "allow-plain-with-ssl")
because security is complicated.
> > > > 
> > > > Here's what I would suggest:
> > > > 
> > > > Provide a top-level setting: "secure", default true.
> > > 
> > > The new proton security APIs are pretty similar to this already - you
> > > did look at them?
> > > 
> > > There are actually 2 setting which control authentication and
> > > encryption.
> > 
> > That's what I'm getting at. There are already 2, you're adding another
> > which is 3, then there'll be 4...
> 
> I did consider those settings pretty carefully and did have them
> reviewed (potentially by you).
> 
> I do think they reasonably cover a lot of the security landscape in a
> simple to understand way, and don't need adding to.
> 
> However, if you want to add more detailed settings not covered by them
> that's ok too.

OK, let me back up and regroup:

I'm happy with 2 settings auth_required, encryption_required. If we can
satisfy all users with just those two I will be very happy.

I am not *proposing* additional settings, but I had the impression we
were on the verge of adding one allow_plain_with_no_ssl or somesuch. If
we can avoid that then so much the better. 

IF we do (now or later) need to start adding detailed settings, then
they they should have a sensible default *based on the values of
auth_required and encryption_required*, not just a static default.

Most users should ONLY have to set auth_required and encryption_required
and be confident that things will usually Just Work. In particular if
both are false, then all details settings should have permissive
defaults. If both are true then all detailed settings should have strict
defaults. So a secure user can assume the standard "denied if not
explicitly permitted" for the additional settings, and an insecure user
can assume "anything goes" without having to set a bunch of individual
settings.

But again, if we can satisfy all with just the 2 settings that is ideal
and we should strive to minimize additional settings.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message