[foaf-protocols] Why exponent/modulus
nathan at webr3.org
Fri Sep 17 18:48:37 CEST 2010
Henry Story wrote:
> On 17 Sep 2010, at 15:48, Nathan wrote:
>> With this specific question, the main background thinking is that
>> implementations of WebID protocol would be much easier, with far less
>> dependencies, if we did simply throw a PEM/DER certificate in to our
>> profiles, all those Wordpress/Mediawiki/Drupal type plugins, and indeed
>> support in any language which had basic support for HTTP+TLS would
>> suddenly become a very easy hit.
> How would putting a PEM make those tools easier to integrate? Can you
> explain in more detail where things become easier and why.
Certainly can, in most http servers you can very easily expose the
client side certificate to the environment a programming language runs
under, for instance in Apache:
And in most programming languages you get basic support for X509
certificates and grabbing information from them (including extensions),
for example getting the subjectAltName in PHP is as simple as this:
$x509 = openssl_x509_parse( $_SERVER['REMOTE_USER'] );
// then pull the URI: value(s) from the string
So as you can see, getting the cert and the subjectAltName is one
(optional) config line and 3 lines of PHP. Which is natively supported
on most hosts and certainly everywhere you'll find Wordpress / Drupal /
Mediawiki with https:// configured.
Where things get complex and where the "custom stuff" dependency creeps
in is getting the modulus and exponent, this isn't common usage and thus
not supported natively, so you normally need to run the certificate
through a series of command line calls to openssl and then parse what
you get back (this is *not* supported on most hosts, certainly not
shared, and certainly not portable in anyway that would allow a plugin
to be developed). This is true for most languages with any kind of tls /
There are two ways to address this:
1 - a custom multi language ASN1 parser library that deals with all
variants of certificates, implemented for most common languages. (barely
viable, would be full of bugs, would take years to get versions for all
2 - simply include the common representation of the certificate in your
profile. This wouldn't need any ASN1 support or require any command line
/ openssl calling.
So, I guess what I'm saying is, that unless we pester every major
language to add native ASN.1 support / expose modulus and exponent /
create an ASN1 reader in every major language, we can never create
portable webid plugins for media wiki / drupal / wordpress.
Hope that makes sense
ps: will reply to other portion under separate cover.
More information about the foaf-protocols