IRC Archive for channel #xwiki
Last modified by Vincent Massol on 2012/10/18 19:12
sdumitriu joined #xwiki at 00:09
CalebJamesDeLisl - (00:13): pong abusenius
abusenius - (00:15): re signed scripts, do you know how to send the personal certificate to the server?
abusenius - (00:15): and which format it will use?
CalebJamesDeLisl - (00:16): meaning when you create a client cert?
abusenius - (00:16): yes, the one corresponding to the private key you use to sign
CalebJamesDeLisl - (00:16): org.bouncycastle.jce.netscape.NetscapeCertRequest
abusenius - (00:16): it needs to be known to the server so that it can verify
abusenius - (00:17): ah, this one, ok
CalebJamesDeLisl - (00:17): You send one of those doodads, and the server sends back a client sert.
CalebJamesDeLisl - (00:17): *cert
abusenius - (00:17): can you also decode base64 data in js or should it be something else?
CalebJamesDeLisl - (00:17): Basically all you are sending is a public key and a signed challenge string.
CalebJamesDeLisl - (00:18): No it's all handles by firefox internals, no need to tinker with javascript.
abusenius - (00:18): ok, cool
abusenius - (00:19): I have some proof of concept implementation of signed scripts
abusenius - (00:19): https://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-rendering-macro-signed
abusenius - (00:20): it can currently just do create/verify, is not persistent but shows the point
abusenius - (00:20): there is also a small app that shows some of the methods
CalebJamesDeLisl - (00:20): What I have is based on bblfish's work, i can create client certs and make a client able to sign text from their browser.
abusenius - (00:21): we need to merge our implementations somehow
CalebJamesDeLisl - (00:21): I have been trying to figure out how to validate pkcs7 signatures, looks like you have that done which is great.
abusenius - (00:21): at least they should be compatible :)
abusenius - (00:22): yes, so I basically need to add some api to give you the data to sign, then you can post it back
abusenius - (00:22): and you can allready import a new trusted cert
abusenius - (00:22): (if the format will match)
CalebJamesDeLisl - (00:22): We all sort of have to work around the firefox crypto.signText standard if we want to support client certs.
CalebJamesDeLisl - (00:23): * supported by opera too, also there is talk about chrome support.
abusenius - (00:23): I have used bouncy castle and PKCS7, so should be not hard to make it work
CalebJamesDeLisl - (00:23): Your're using CMSSignedData?
abusenius - (00:23): yes
CalebJamesDeLisl - (00:24): it sounds like we're both going the same direction here.
abusenius - (00:24): yes, it was good that you told me to use pkcs7 early :)
CalebJamesDeLisl - (00:25): Since my code is really a complete rewrite of bblfish's work I think I will seperate it entirely and put it under the LGPL.
abusenius - (00:25): its was a bit tricky to use, but it seems to work now
CalebJamesDeLisl - (00:26): I can send you a tar of what I have (I don't want to post to the sandbox until I have completely separated it from the foafssl stuff.)
abusenius - (00:26): would be cool
CalebJamesDeLisl - (00:27): The user's URL is still in the cert so I _think_ it will remain foafssl compatable.
CalebJamesDeLisl - (00:28): One more bit of awesomeness about crypto.signText() is we can authenticate the user by sending them a random string and asking them to sign it. No passwords to leak over wifi.
CalebJamesDeLisl - (00:28): Also no need for server ssl certs.
CalebJamesDeLisl - (00:29): * CA signed server ssl certs.
abusenius - (00:30): isn't man in the middle a problem here?
abusenius - (00:31): I mean, try to login to server, get a random string, send it to legitimate user, he signs, sends it to you, you send it to server...
CalebJamesDeLisl - (00:39): Yup, but that will only get him access to your current session, not your passwords. Also MITM is an active attack which generally means somebody knows you have something they want. Packet sniffing is something you can do with wireshark and can be done silently without anyone knowing and you can do it to everyone in a coffee shop at once just fishing for info.
CalebJamesDeLisl - (00:40): Also the point is a bit moot since the connection is not encrypted anyway.
CalebJamesDeLisl - (00:40): Mail sent.
CalebJamesDeLisl - (00:42): What do you think of only one script service called $crypto?
abusenius - (00:45): $crypto would be nice, especially if used also for other things like encryptions/hash etc.
CalebJamesDeLisl - (00:45): Not sure I like the name SignedScript, what if it's not a script just some information which the signatory wishes to assure everyone it is valid.
abusenius - (00:45): I have put everything together for now to simplify things
CalebJamesDeLisl - (00:46): Looking at you're work, I think it's best to fold my work into your's.
abusenius - (00:46): well, how would you call it then? SignedData?
CalebJamesDeLisl - (00:46): String? ;)
abusenius - (00:47): well, its not just sting
abusenius - (00:48): at least for the purpose of signed scripts it is handy to have
CalebJamesDeLisl - (00:48): XWikiSignature isn't a signature per se.
CalebJamesDeLisl - (00:49): XWikiNotary?
abusenius - (00:49): SignedScript has additional information about who signed it, when etc
abusenius - (00:49): ok, XWikiSignature is a really bad name :)
abusenius - (00:49): I named it after security.Signature
abusenius - (00:49): why notary?
CalebJamesDeLisl - (00:50): I think it's fun to try to make names which make code read almost as english sentences.
CalebJamesDeLisl - (00:51): Well a notary public witnesses the signing of documents and attests to their validity (among other things).
abusenius - (00:51): maybe, but it is a cryptographic signature not so much a human made one
CalebJamesDeLisl - (00:51): It's a cryptographic notary ;)
abusenius - (00:52): I don't know, notary doesn't sound intuitive to me
abusenius - (00:53): maybe because I have never had something to do with notaries, but a lot with crypto :)
abusenius - (00:54): thanks for the code, I'll look at it tomorrow
CalebJamesDeLisl - (00:54): I'll keep looking for words.
abusenius - (00:55): its a thing/person who can sign and verify correctness of any kind of data
abusenius - (00:55): I would call it DataSigner, but it does not mention verification ^^
sdumitriu left at 00:58 (Quit: Leaving.
abusenius - (01:00): ok, got to go, see you online
CalebJamesDeLisl - (01:00): see ya
abusenius left at 01:01 (Quit: Konversation terminated!
lucaa joined #xwiki at 05:30
lucaa left at 05:35 (Ping timeout: 276 seconds
Enygma` joined #xwiki at 06:01
Enygma` left at 06:16 (Quit: Leaving.
florinciu joined #xwiki at 09:32
florinciu left at 10:18 (Quit: Leaving.
florinciu joined #xwiki at 10:20
mflorea joined #xwiki at 10:27
florinciu1 joined #xwiki at 10:36
florinciu left at 10:53 (Quit: Leaving.
florinciu joined #xwiki at 11:04
sdumitriu joined #xwiki at 11:37
fmancinelli joined #xwiki at 12:02
vmassol left at 12:05 (Quit: Leaving.
fmancinelli left at 12:07 (Ping timeout: 252 seconds
vmassol joined #xwiki at 12:10
vmassol1 joined #xwiki at 12:11
vmassol left at 12:11 (Read error: Connection reset by peer
florinciu left at 12:14 (Read error: Connection reset by peer
mflorea1 joined #xwiki at 12:56
mflorea left at 12:57 (Read error: Connection reset by peer
nuvolari is now known as all (~quassel@unaffiliated/nuvolari
all is now known as nuvolari (~quassel@unaffiliated/nuvolari
sdumitriu left at 15:00 (Ping timeout: 240 seconds
sdumitriu joined #xwiki at 15:12
florinciu1 left at 15:53 (Quit: Leaving.
florinciu joined #xwiki at 16:02
jvelo left at 16:03 (Quit: Ex-Chat
abusenius joined #xwiki at 16:59
florinciu left at 17:19 (Read error: Connection reset by peer
evalica joined #xwiki at 18:08
evalica left #xwiki at 18:08
florinciu joined #xwiki at 18:31
florinciu left at 18:31 (Client Quit
vmassol1 left at 18:31 (Quit: Leaving.
vmassol joined #xwiki at 18:31
vmassol left at 18:31 (Client Quit
mflorea1 left at 19:31 (Quit: Leaving.
florinciu joined #xwiki at 19:54
fmancinelli joined #xwiki at 20:08
florinciu left at 20:21 (Quit: Leaving.
sdumitriu left at 20:47 (Ping timeout: 240 seconds
sdumitriu joined #xwiki at 21:24
fmancinelli left at 23:15 (Read error: Operation timed out
CalebJamesDeLisl - (00:13): pong abusenius
abusenius - (00:15): re signed scripts, do you know how to send the personal certificate to the server?
abusenius - (00:15): and which format it will use?
CalebJamesDeLisl - (00:16): meaning when you create a client cert?
abusenius - (00:16): yes, the one corresponding to the private key you use to sign
CalebJamesDeLisl - (00:16): org.bouncycastle.jce.netscape.NetscapeCertRequest
abusenius - (00:16): it needs to be known to the server so that it can verify
abusenius - (00:17): ah, this one, ok
CalebJamesDeLisl - (00:17): You send one of those doodads, and the server sends back a client sert.
CalebJamesDeLisl - (00:17): *cert
abusenius - (00:17): can you also decode base64 data in js or should it be something else?
CalebJamesDeLisl - (00:17): Basically all you are sending is a public key and a signed challenge string.
CalebJamesDeLisl - (00:18): No it's all handles by firefox internals, no need to tinker with javascript.
abusenius - (00:18): ok, cool
abusenius - (00:19): I have some proof of concept implementation of signed scripts
abusenius - (00:19): https://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-rendering-macro-signed
abusenius - (00:20): it can currently just do create/verify, is not persistent but shows the point
abusenius - (00:20): there is also a small app that shows some of the methods
CalebJamesDeLisl - (00:20): What I have is based on bblfish's work, i can create client certs and make a client able to sign text from their browser.
abusenius - (00:21): we need to merge our implementations somehow
CalebJamesDeLisl - (00:21): I have been trying to figure out how to validate pkcs7 signatures, looks like you have that done which is great.
abusenius - (00:21): at least they should be compatible :)
abusenius - (00:22): yes, so I basically need to add some api to give you the data to sign, then you can post it back
abusenius - (00:22): and you can allready import a new trusted cert
abusenius - (00:22): (if the format will match)
CalebJamesDeLisl - (00:22): We all sort of have to work around the firefox crypto.signText standard if we want to support client certs.
CalebJamesDeLisl - (00:23): * supported by opera too, also there is talk about chrome support.
abusenius - (00:23): I have used bouncy castle and PKCS7, so should be not hard to make it work
CalebJamesDeLisl - (00:23): Your're using CMSSignedData?
abusenius - (00:23): yes
CalebJamesDeLisl - (00:24): it sounds like we're both going the same direction here.
abusenius - (00:24): yes, it was good that you told me to use pkcs7 early :)
CalebJamesDeLisl - (00:25): Since my code is really a complete rewrite of bblfish's work I think I will seperate it entirely and put it under the LGPL.
abusenius - (00:25): its was a bit tricky to use, but it seems to work now
CalebJamesDeLisl - (00:26): I can send you a tar of what I have (I don't want to post to the sandbox until I have completely separated it from the foafssl stuff.)
abusenius - (00:26): would be cool
CalebJamesDeLisl - (00:27): The user's URL is still in the cert so I _think_ it will remain foafssl compatable.
CalebJamesDeLisl - (00:28): One more bit of awesomeness about crypto.signText() is we can authenticate the user by sending them a random string and asking them to sign it. No passwords to leak over wifi.
CalebJamesDeLisl - (00:28): Also no need for server ssl certs.
CalebJamesDeLisl - (00:29): * CA signed server ssl certs.
abusenius - (00:30): isn't man in the middle a problem here?
abusenius - (00:31): I mean, try to login to server, get a random string, send it to legitimate user, he signs, sends it to you, you send it to server...
CalebJamesDeLisl - (00:39): Yup, but that will only get him access to your current session, not your passwords. Also MITM is an active attack which generally means somebody knows you have something they want. Packet sniffing is something you can do with wireshark and can be done silently without anyone knowing and you can do it to everyone in a coffee shop at once just fishing for info.
CalebJamesDeLisl - (00:40): Also the point is a bit moot since the connection is not encrypted anyway.
CalebJamesDeLisl - (00:40): Mail sent.
CalebJamesDeLisl - (00:42): What do you think of only one script service called $crypto?
abusenius - (00:45): $crypto would be nice, especially if used also for other things like encryptions/hash etc.
CalebJamesDeLisl - (00:45): Not sure I like the name SignedScript, what if it's not a script just some information which the signatory wishes to assure everyone it is valid.
abusenius - (00:45): I have put everything together for now to simplify things
CalebJamesDeLisl - (00:46): Looking at you're work, I think it's best to fold my work into your's.
abusenius - (00:46): well, how would you call it then? SignedData?
CalebJamesDeLisl - (00:46): String? ;)
abusenius - (00:47): well, its not just sting
abusenius - (00:48): at least for the purpose of signed scripts it is handy to have
CalebJamesDeLisl - (00:48): XWikiSignature isn't a signature per se.
CalebJamesDeLisl - (00:49): XWikiNotary?
abusenius - (00:49): SignedScript has additional information about who signed it, when etc
abusenius - (00:49): ok, XWikiSignature is a really bad name :)
abusenius - (00:49): I named it after security.Signature
abusenius - (00:49): why notary?
CalebJamesDeLisl - (00:50): I think it's fun to try to make names which make code read almost as english sentences.
CalebJamesDeLisl - (00:51): Well a notary public witnesses the signing of documents and attests to their validity (among other things).
abusenius - (00:51): maybe, but it is a cryptographic signature not so much a human made one
CalebJamesDeLisl - (00:51): It's a cryptographic notary ;)
abusenius - (00:52): I don't know, notary doesn't sound intuitive to me
abusenius - (00:53): maybe because I have never had something to do with notaries, but a lot with crypto :)
abusenius - (00:54): thanks for the code, I'll look at it tomorrow
CalebJamesDeLisl - (00:54): I'll keep looking for words.
abusenius - (00:55): its a thing/person who can sign and verify correctness of any kind of data
abusenius - (00:55): I would call it DataSigner, but it does not mention verification ^^
sdumitriu left at 00:58 (Quit: Leaving.
abusenius - (01:00): ok, got to go, see you online
CalebJamesDeLisl - (01:00): see ya
abusenius left at 01:01 (Quit: Konversation terminated!
lucaa joined #xwiki at 05:30
lucaa left at 05:35 (Ping timeout: 276 seconds
Enygma` joined #xwiki at 06:01
Enygma` left at 06:16 (Quit: Leaving.
florinciu joined #xwiki at 09:32
florinciu left at 10:18 (Quit: Leaving.
florinciu joined #xwiki at 10:20
mflorea joined #xwiki at 10:27
florinciu1 joined #xwiki at 10:36
florinciu left at 10:53 (Quit: Leaving.
florinciu joined #xwiki at 11:04
sdumitriu joined #xwiki at 11:37
fmancinelli joined #xwiki at 12:02
vmassol left at 12:05 (Quit: Leaving.
fmancinelli left at 12:07 (Ping timeout: 252 seconds
vmassol joined #xwiki at 12:10
vmassol1 joined #xwiki at 12:11
vmassol left at 12:11 (Read error: Connection reset by peer
florinciu left at 12:14 (Read error: Connection reset by peer
mflorea1 joined #xwiki at 12:56
mflorea left at 12:57 (Read error: Connection reset by peer
nuvolari is now known as all (~quassel@unaffiliated/nuvolari
all is now known as nuvolari (~quassel@unaffiliated/nuvolari
sdumitriu left at 15:00 (Ping timeout: 240 seconds
sdumitriu joined #xwiki at 15:12
florinciu1 left at 15:53 (Quit: Leaving.
florinciu joined #xwiki at 16:02
jvelo left at 16:03 (Quit: Ex-Chat
abusenius joined #xwiki at 16:59
florinciu left at 17:19 (Read error: Connection reset by peer
evalica joined #xwiki at 18:08
evalica left #xwiki at 18:08
florinciu joined #xwiki at 18:31
florinciu left at 18:31 (Client Quit
vmassol1 left at 18:31 (Quit: Leaving.
vmassol joined #xwiki at 18:31
vmassol left at 18:31 (Client Quit
mflorea1 left at 19:31 (Quit: Leaving.
florinciu joined #xwiki at 19:54
fmancinelli joined #xwiki at 20:08
florinciu left at 20:21 (Quit: Leaving.
sdumitriu left at 20:47 (Ping timeout: 240 seconds
sdumitriu joined #xwiki at 21:24
fmancinelli left at 23:15 (Read error: Operation timed out
