[foaf-protocols] Why exponent/modulus

Nathan nathan at webr3.org
Fri Sep 17 18:48:37 CEST 2010


Henry Story wrote:
> On 17 Sep 2010, at 15:48, Nathan wrote:
>> With this specific question, the main background thinking is that 
>> implementations of WebID protocol would be much easier, with far less 
>> dependencies, if we did simply throw a PEM/DER certificate in to our 
>> profiles, all those Wordpress/Mediawiki/Drupal type plugins, and indeed 
>> support in any language which had basic support for HTTP+TLS would 
>> suddenly become a very easy hit.
> 
> How would putting a PEM make those tools easier to integrate? Can you 
> explain in more detail where things become easier and why.

Certainly can, in most http servers you can very easily expose the 
client side certificate to the environment a programming language runs 
under, for instance in Apache:

   SSLUserName SSL_CLIENT_CERT

And in most programming languages you get basic support for X509 
certificates and grabbing information from them (including extensions), 
for example getting the subjectAltName in PHP is as simple as this:

   $x509 = openssl_x509_parse( $_SERVER['REMOTE_USER'] );
   $x509['extensions']['subjectAltName'];
   // then pull the URI: value(s) from the string

So as you can see, getting the cert and the subjectAltName is one 
(optional) config line and 3 lines of PHP. Which is natively supported 
on most hosts and certainly everywhere you'll find Wordpress / Drupal / 
Mediawiki with https:// configured.

Where things get complex and where the "custom stuff" dependency creeps 
in is getting the modulus and exponent, this isn't common usage and thus 
not supported natively, so you normally need to run the certificate 
through a series of command line calls to openssl and then parse what 
you get back (this is *not* supported on most hosts, certainly not 
shared, and certainly not portable in anyway that would allow a plugin 
to be developed). This is true for most languages with any kind of tls / 
certificate support.

There are two ways to address this:

1 - a custom multi language ASN1 parser library that deals with all 
variants of certificates, implemented for most common languages. (barely 
viable, would be full of bugs, would take years to get versions for all 
major languages)

2 - simply include the common representation of the certificate in your 
profile. This wouldn't need any ASN1 support or require any command line 
/ openssl calling.

So, I guess what I'm saying is, that unless we pester every major 
language to add native ASN.1 support / expose modulus and exponent / 
create an ASN1 reader in every major language, we can never create 
portable webid plugins for media wiki / drupal / wordpress.

Hope that makes sense

Best,

Nathan

ps: will reply to other portion under separate cover.


More information about the foaf-protocols mailing list