[foaf-protocols] Why exponent/modulus

Henry Story henry.story at bblfish.net
Fri Sep 17 19:24:16 CEST 2010


On 17 Sep 2010, at 17:48, Nathan wrote:

> Henry Story wrote:
>> On 17 Sep 2010, at 15:48, Nathan wrote:
>>> With this specific question, the main background thinking is that implementations of WebID protocol would be much easier, with far less dependencies, if we did simply throw a PEM/DER certificate in to our profiles, all those Wordpress/Mediawiki/Drupal type plugins, and indeed support in any language which had basic support for HTTP+TLS would suddenly become a very easy hit.
>> How would putting a PEM make those tools easier to integrate? Can you explain in more detail where things become easier and why.
> 
> Certainly can, in most http servers you can very easily expose the client side certificate to the environment a programming language runs under, for instance in Apache:
> 
>  SSLUserName SSL_CLIENT_CERT
> 
> And in most programming languages you get basic support for X509 certificates and grabbing information from them (including extensions), for example getting the subjectAltName in PHP is as simple as this:
> 
>  $x509 = openssl_x509_parse( $_SERVER['REMOTE_USER'] );
>  $x509['extensions']['subjectAltName'];
>  // then pull the URI: value(s) from the string
> 
> So as you can see, getting the cert and the subjectAltName is one (optional) config line and 3 lines of PHP. Which is natively supported on most hosts and certainly everywhere you'll find Wordpress / Drupal / Mediawiki with https:// configured.
> 
> Where things get complex and where the "custom stuff" dependency creeps in is getting the modulus and exponent, this isn't common usage and thus not supported natively, so you normally need to run the certificate through a series of command line calls to openssl and then parse what you get back (this is *not* supported on most hosts, certainly not shared, and certainly not portable in anyway that would allow a plugin to be developed). This is true for most languages with any kind of tls / certificate support.
> 
> There are two ways to address this:
> 
> 1 - a custom multi language ASN1 parser library that deals with all variants of certificates, implemented for most common languages. (barely viable, would be full of bugs, would take years to get versions for all major languages)

Well I am happy to hear you say that ASN1 is not a panacea. 

What I am surprised is that your server is parsing that certificate, since it uses 
the public key to do the crypto TLS handshake. So every server that has TLS, has a 
parser built in. Or else it could not get access to the certificate. It should be 
easy for a server to just add an interface to return that key too, right?

Any server that wishes to do WebID, will anyway require some new tweaks on their 
server, or some new libraries it seems to me. So this is a good reason to help people
to upgrade. Otherwise a redirect service to something like foafssl.org will do the 
trick too.

> 2 - simply include the common representation of the certificate in your profile. This wouldn't need any ASN1 support or require any command line / openssl calling.

This would then require a bit by bit comparison of the certificate then I assume.
So should a web site then publish both PEM and DER? And what about other encodings?
It seems that this will end up forcing us to use ASN.1 forever then, when we really
want to get away from that, as in my view it makes something really simple, public
key cryptography - you can write the algorithm on your t-shirt - really complicated
by tying it to some complex binary standard.

So perhaps we can first look and see if your problem cannot be solved in some other
way.

> So, I guess what I'm saying is, that unless we pester every major language to add native ASN.1 support / expose modulus and exponent / create an ASN1 reader in every major language, we can never create portable webid plugins for media wiki / drupal / wordpress.

I think we should make a table and work out which languages have trouble with this, and
a map of solutions. Then we can look at what advantage that will give us with some 
objective facts to back this up.

Thanks for bringing up this issue.

Henry


> 
> Hope that makes sense
> 
> Best,
> 
> Nathan
> 
> ps: will reply to other portion under separate cover.

Social Web Architect
http://bblfish.net/



More information about the foaf-protocols mailing list