[ZODB-Dev] CHAP with ZEO
Jeremy Hylton
jeremy@digicool.com
Tue, 22 May 2001 10:20:17 -0400 (EDT)
>>>>> "TD" == Toby Dickenson <tdickenson@devmail.geminidataloggers.co.uk> writes:
TD> I think CHAP would be a good addition, but not for the reasons
TD> you suggest. If you are using ZEO over an untrusted network then
TD> you need to secure the content too and, as you mention, tools
TD> like stunnel provide this already.
TD> CHAP is useful if your ZEO network is trusted, but not entirely
TD> private. For example, if your ZEO client and server are on the
TD> same host.
TD> It may also be useful even when using stunnel, as an alternative
TD> to client certificates.
>> Is this something we should think about rolling into ZEO?
TD> We need to be careful to not oversell it, but I think yes.
It sounds like we should set up a fishbowl proposal (in the ZODB Wiki)
about adding some kind of digest-based authentication to ZEO. The
proposal provides a better basis for evaluating the risks of
cryptographically weak security and the needs of users to provide some
kind of authentication.
Jeremy