[foaf-protocols] security problem with libAuthenticate
Bruno Harbulot
Bruno.Harbulot at manchester.ac.uk
Thu Feb 4 20:17:30 CET 2010
Story Henry wrote:
> On 4 Feb 2010, at 17:59, Pierre-Antoine Champin wrote:
>
>> Hi,
>>
>> I supervise some students working on a FOAF+SLL project.
>>
>> They played a little with foaf.me, and discovered what seems like a bug
>> in foaf.me, probably in libAuthenticate:
>>
>> the URI produced by foafssl.org (with the webid, the date and the
>> signature), seems to be accepted forever, as if foaf.me didn't take the
>> date into account.
>
> Do you mean that it does not take the time limit of the certificate into account?
> (That's quite possible, and we have recently argued that we should take those into account, so that one can produce certificate that are only valid for an hour or less even)
I've just added this feature in the Java verifier code (I should have
done it a while back): http://github.com/harbulot/foafssl-java
Best wishes,
Bruno.
More information about the foaf-protocols
mailing list