Comments (5)
Many firms now mandate authentication using a TLS certificate and private key.
Implementing this certificate & key can sometimes present a challenge, particularly for proprietary software.
It would be great to be able to include the certificate / key into an Orchestra file, thus making the implementation transparent to the end user (possibly with the added security benefit of not needing to handle / store the private key in plain text and having to email it among various people.
This would be in a separate Orchestra file dedicated to session-level aspects (connectivity etc), not the application level file.
The structure of the supplied .zip for the TLS certificate is as follows:
- cms
-- cert.kdb
-- cert.sth
--password.txt - jks
-- cert.jks
-- password.txt - pem
-- CACerts.pem
-- cert.pem
-- cert_all.pem
-- key.pem - pkcs12
-- cert.pfx
-- password.txt
I've attached an example of a (revoked) certificate archive:
cert.zip
from fix-orchestra.
Further to the working group call just now:
-
it would be most convenient to include the certificate directly into the interface-type FIX Orchestra file (as opposed to include a pointer to an external file). This would allow vendors to read the information directly from the Orchestra file.
-
can we afford to include the private key in the Orchestra file, too?
Interface-type (as opposed to application-type) FIX Orchestra files are unlikely to be shared / publicly available, since they by definition contain proprietary information, such as CompIds, ports, IPs, etc.
Thus, it can be reasonably assumed that the private key can form part of this information.
On the other hand, integrating the key into the FIX Orchestra file may mask the fact that it contains sensitive information, thus there may be fewer concerns about sharing it (e.g. by putting it on a public file share). Would be good to discuss, certainly including the private key would be more convenient than having separately. -
Different implementations currently use different formats for TLS authentication (e.g. QuickFIX uses pkcs12, sTunnel uses pem).
Could FIX Orchestra could define one standard for encryption (e.g. pem), which can be adopted by implementers as they see fit?
from fix-orchestra.
The Interfaces schema describes a service offering in terms of the OSI model protocol layers, and then allows for session configurations for the protocol stack. The familiar model layers of application, presentation, session, transport, and lower media layers are described in ISO/IEC 7498-1 The Basic Model.
There is also a second part ISO 7498-2 Security Architecture that describes security by layers.
- The Authentication Layer
- The Access Control Layer
- The Non-Repudiation Layer
- The Data Integrity Layer
- The Confidentiality Layer
- The Assurance / Availability Layer
- Notarization / Signature Layer
This model may provide useful terminology for extending the Interfaces schema.
from fix-orchestra.
On the other hand, cipher suites combine features of multiple layers in the model, namely key exchange (authentication), encryption (confidentiality), and message authentication (non-repudiation).
from fix-orchestra.
Propose that a session configuration should support security keys in the format specified by IETF RFC 7468
from fix-orchestra.
Related Issues (20)
- [repository schema] Field type attribute does not distinguish between datatype and code set reference HOT 1
- [Score DSL] add binary condition syntax
- [repository schema] Names of codesetRefKey and codesetKeyref HOT 3
- [repository schema] Does use of fixr:oidGrp for complex type "codeType" imply support of scenarios for individual codes? HOT 2
- [repository schema] Typo in annotation of messageIdKey HOT 1
- [repository schema] Change year included in repository location of v1.1 from 2022 to 2023 HOT 1
- [repository schema] Change version attribute to include RC1 status HOT 1
- [repository schema] Missing AppInfo FIXML schema (for EP272 and higher Orchestra XMLs) HOT 1
- [repository schema] Simple type Edition_t does not seem to be used HOT 1
- [interfaces schema] Typo in field type "userIntefaceType" should be "userInterfaceType" HOT 4
- [repository schema] Add repository attribute for application extension ID HOT 1
- [repository schema] Allow names in correlation and assignment references
- [repository schema] Typo in documentation of optional name reference? HOT 3
- [repository schema] Attribute group messageAttribGrp seems to be unused
- [repository schema] Consider moving "Datatype" from repository.xsd's root level to repositoryType.xsd HOT 1
- [repository schema] Some categoryType's attributes should be required. HOT 1
- messageAttribGrp is not used. HOT 1
- [repository schema] Some protocols's message names are not supported by Name_t restrictions. HOT 3
- [repository schema] New attribute to identify fields sharing characteristics HOT 3
- [repository schema] Some simple types are not used. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fix-orchestra.