From 2dc1b9a6f455237f3743ef02b140b94ba8da63c3 Mon Sep 17 00:00:00 2001 From: Mattias Andrée Date: Tue, 24 Oct 2017 20:06:11 +0200 Subject: Replace CMSG !/cred/prefix with !/cred/whoami MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mattias Andrée --- README | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'README') diff --git a/README b/README index 1464186..b538c68 100644 --- a/README +++ b/README @@ -120,13 +120,17 @@ Secret messages: However, due to network support, these routing keys may need to be prefixed with the credentials for the servers the message - goes through. This prefix can be retrieved by simply sending an - empty control message (CMSG) with the routing key '!/cred/prefix' - and the server will reply with a control message containing prefix - using this routing key. Note, prefix is probably the empty string, - as the master server do not need to add its credentials to be - prefixed. Note, the server will never send control messages, so - received control message are guaranteed to come from the server. + goes through, or use the credentials of the a program running + on a different master machine. Therefore, a client cannot + simply just use its GID, UID, and PID, but must ask what's its + credentials are by sending an empty control message (CMSG) with + the routing key '!/cred/whoami'. The server will reply with a + control message with the same routing key and the message will + be the credentials, for example '!/cred/100/1000/1111' or + '!/cred/100/1000/1111/!/cred/1000/1000/19211'. Note, the server + will never send control messages it receives from other clients, + so the received control message is guaranteed to come from the + server. Example of how two client can prove their identities to each oter: -- cgit v1.2.3-70-g09d2