[foaf-protocols] Why exponent/modulus

Nathan nathan at webr3.org
Fri Sep 17 19:48:43 CEST 2010


Henry Story wrote:
> Well I am happy to hear you say that ASN1 is not a panacea. 

lol I've given that approach as much time as I'm willing to this year 
already ;)

> What I am surprised is that your server is parsing that certificate, since it uses 
> the public key to do the crypto TLS handshake. So every server that has TLS, has a 
> parser built in. Or else it could not get access to the certificate. It should be 
> easy for a server to just add an interface to return that key too, right?

Yes! if you can get it added, it's quite easy often, I added support for 
subjectAltName, exponent, modulus to node.js and it only took a few 
hours; should be a relatively easy hit code wise for most languages / 
servers.

However! try getting that in to PHP or apache in a version that's going 
to be common on most hosts, even if you had it added today you'd be 
looking at 2-3 years before you could rely on it being there 50%+ of the 
time.

> Any server that wishes to do WebID, will anyway require some new tweaks on their 
> server, or some new libraries it seems to me. So this is a good reason to help people

hmm.. I can see that being the case for usage outside of a scripting 
realm (ala Joe's fine mods for apache) but inside something like 
"Wordpress" there should be no need for any changes to the server afaik.

>> 2 - simply include the common representation of the certificate in your profile. This wouldn't need any ASN1 support or require any command line / openssl calling.
> 
> This would then require a bit by bit comparison of the certificate then I assume.
> So should a web site then publish both PEM and DER? And what about other encodings?

AFAIK DER is almost universally used in servers, programming languages 
and in .cer .crt .der files - as for PEM, well that's just DER with 
"---BEGIN CERTIFICATE..." added which you can simply strip.

In other words, if you simply pull out the base64 and strip the white 
space you should get a pretty universal representation of a certificate 
that's portable and comparable :)

> It seems that this will end up forcing us to use ASN.1 forever then, when we really
> want to get away from that, as in my view it makes something really simple, public
> key cryptography - you can write the algorithm on your t-shirt - really complicated
> by tying it to some complex binary standard.

+1 to that (mutters things about ASN1 not safe for public lists)

> So perhaps we can first look and see if your problem cannot be solved in some other
> way.

perhaps consider the above comments about DER, seems like an easy hit if 
  one could give some guidance on the best property to use.. cert:der w/ 
^^xsd:base64Binary? think that's more your domain though :)

>> So, I guess what I'm saying is, that unless we pester every major language to add native ASN.1 support / expose modulus and exponent / create an ASN1 reader in every major language, we can never create portable webid plugins for media wiki / drupal / wordpress.
> 
> I think we should make a table and work out which languages have trouble with this, and
> a map of solutions. Then we can look at what advantage that will give us with some 
> objective facts to back this up.
> 
> Thanks for bringing up this issue.

agreed, good call,

Best,

Nathan


More information about the foaf-protocols mailing list