Message Signing Questions

dreamoka Member Posts: 47 ✭✭✭

Are the message broker able to verify message signing ?

For example, Client A signed the message and sent the message to message broker. Then, the message broker check the message and reject the message if the message contain incorrect message signature.



  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 500 admin

    Hey @dreamoka - the broker dos not intercept any of the payload, it simply just route the message to the destination. Any payload processing such as checksum and signature validation is done on the receiving application. In the cases of failed validation the consuming application could either NACK of drop the message

  • dreamoka
    dreamoka Member Posts: 47 ✭✭✭

    Hi @Tamimi , thank you so much. I am not well versed in term of security. I have the following questions to ask.

    1. Do i still implement message signing If message broker implements mutual TLS (mTLS) authentication?
    2. Is it a recommendation to use mutual TLS (mTLS) rather than basic authentication (username and password)?
    3. Based on your opinion, who is the one should generate client certificate ? Is it I have to generate client certificate for all the client since certificate contains username ?
    4. Does mutual TLS (mTLS) is a good way for preventing client spoofing?