We have found ourselves at a fork in the road and wanted to get some input from the community. OpenZIS currently supports three forms of authentication.
No Authentication – Used primarily for testing and development. The agents that send requests to the ZIS are not authenticated.
Username and Password – Agents are authenticated using a username and password that is passed in the HTTP(S) header
Certificates – Agents are authenticated based on a certificate supplied by the agent. Apache ensures that the certificate is valid and passes the CN of the certificate to OpenZIS which then compares it to the CN supplied when setting up the agent and if they are the same allows communication if not sends the operate SIF Error message.
We are proposing to remove the username and password authentication due to the fact that it is not supported in the SIF Specification. We are also thinking of re-designing the certificate validation process. Instead of just checking the CN of the certificate we would save the entire certificate to the database on the first call from the agent, every request afterwards OpenZIS would compare the entire certificate passed. We believe this will be easier to maintain and more secure.
Now we want to open it up the community and hear your thoughts. What do you think our course of action should be.
Thanks in advance for sharing your thoughts,
OpenZIS Team
{ 2 comments }
What do you think about OAuth?
OAuth is an interesting prospect, however it would lead us outside of the SIF Specification.
Comments on this entry are closed.