site_archiver@lists.apple.com Delivered-To: macnetworkprog@lists.apple.com After asking in darwin-dev what group would be appropriate for this topic (thanks Graham, Jens, and Kevin), I have decided to bring it up here. I hope that is the correct decision. I am developing a Macintosh application which will be capable of running on a cluster of Macs; that is, each of a number of Macs will be running a copy of the application (or of part of it) and the different Macs will communicate with each other to coordinate activity and share data: The app is not a web-server-and-client kind of thing; I expect to be using Internet socket connections directly, from within the various instances of the application. I am thereby necessarily concerned with secure communication -- I don't want the app or the data compromised. So far, I have described a very general programming issue -- possibly too general for an Apple group. What I wonder about is what special support is available for this kind of thing based on the fact that I am using Macintoshes, and have all the facilities of MacOS and Xcode to develop and run with. The app is a clustered version of Wraith Scheme, a parallel Scheme implementation for the Mac that I have been developing for some years. (Scheme is a variety of Lisp -- see the "Software" page of my web site, whose home URL is given below, if you are terminally curious.) Wraith Scheme is very powerful, and a malicious person who accessed it remotely could do immense damage to the system it is running on. The picture here is a number of different instances of the Wraith Scheme program, all running on different machines, using the Internet both to share data and to organize the work to be done. The most likely sort of "cluster" is probably a bunch of machines located physically close together, all under the control of one user or institution; in that case the security problem could be very simple -- just network them together locally, take the local network off the Internet and off wireless, and don't worry. Notwithstanding, I would like to try to do a more professional job than that, just because. So let's assume that the different computers are scattered planet-wide, and that compromise of data or commands to the Scheme programs would bring about the end of civilization as we know it. (Why not dream big?) I am not a network or security type, but I do know enough to be very scared -- a bit like a mouse at a cat convention. I do *not* want to try to reinvent the wheel myself. Based on the reading I have done, I am inclined to implement my cluster's connectivity using "stunnel", which as I expect you all know, is an open-source program that snarfs unencrypted data transmitted locally on one port, encrypts it, and sends it out on the Internet through another port; at the destination, another instance of "stunnel" reverses the process. That seems to be a good way to leverage other people's competence at writing decent code, and to use established protocols for exchanging public keys and establishing trust. In the nominal case of a cluster of machines in close physical proximity under the control of one entity, that plan would allow the cluster to remain *on* the net while running, and public keys could easily be distributed by sneakernet and a USB drive. If my approach is reasonable, I may have little need of Macintosh-specific information, but would anyone care to comment ... 1) Does this indeed sound like a reasonable approach? 2) Are there any Mac-specific tools available in either MacOS itself, or perhaps in what is installed with Xcode, that might be more appropriate or do a better job? I have indeed nosed around on the web and in the Xcode developer documentation for relevant information, but there is not a lot out there -- most of the discussion has to do with web servers, browsers, and HTML. I thank the group for its comments and advice, and I apologize profusely for my regrettable state of newbieness in all things related to cryptography and to Internet security. -- Jay Reynolds Freeman --------------------- Jay_Reynolds_Freeman@mac.com http://web.mac.com/jay_reynolds_freeman (personal web site) _______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macnetworkprog/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com