[foaf-protocols] Why exponent/modulus

Nathan nathan at webr3.org
Fri Sep 17 23:29:27 CEST 2010

Hi Joe,

Joe Presbrey wrote:
> Why complicate the integration process with knowledge of OpenSSL, math
> (mod/exp), or RDF?
> You can access $_SERVER['REMOTE_USER'] in only 1 line of PHP! ;)

! indeed, can you quickly confirm what'd be in $SERVER['REMOTE_USER']? - 
on first read I thought you meant the certificate in PEM format, on 
second read I figured you meant the webid having had full authn done.

>> So, I guess what I'm saying is, that unless we pester every major
>> language to add native ASN.1 support / expose modulus and exponent /
>> create an ASN1 reader in every major language, we can never create
>> portable webid plugins for media wiki / drupal / wordpress.
> We can already make portable plugins. Standalone is another story.

Aye, that's what I meant, standalone :)

> Don't we already have libAuthenticate duplicating mod_authn_webid's
> tasks in PHP? Why isn't there a Mediawiki authentication plugin that
> stacks on top of libAuthenticate? Not because we're missing native
> support AFAIK.

afaict (and what I'm referring to generally) can be found in 
libAuthenticate too:
see lines 123-129:
//TODO: remove openssl dependency
$RSACertStruct = `echo "$RSACert" | openssl asn1parse -inform PEM -i`;
//TODO: remove openssl dependency
$RSAKey = `echo "$RSACert" | openssl asn1parse -inform PEM -i -strparse 

without an ASN.1 parser then any PHP implementation is dependent on 
linux + openssl + shell exec permissions, which rules out a huge 
proportion hosts

> Why isn't WebID login supported on the esw.w3.org MediaWiki instance?

good question!

> I really think doing authn in Apache or even higher in the SSL
> negotiation stack (as Henry demonstrated in Java?) is the best design
> (read: gives the best performance) for the authn bit. It would be

likewise, I agree - but many (most) don't have this option sadly.

> especially great if the MediaWiki plugin could use either dependency:
> PHP/libAuthenticate for quick-install, mod_authn_webid for
> performance/fuller integration. Can we get libAuthenticate to populate
> $_SERVER['REMOTE_USER'] or develop some other common framework that
> downstream plugins can use to access properties of an authenticated
> user?

really like the idea of an abstraction point although may need to take 
over or provide another env, REMOTE_USER would be v easy to have 
overwritten by something else, and people may want to layer auth by 
requesting basic/digest auth as well as a second tier.

also fully agree with having the libAuthenticate quick-install and 
mod_authn_webid for performance, however the openssl dependency which is 
introduced by using exponent+modulus still stands and affects most of 
the Mediawiki/Drupal/Wordpress/PHP user base.

> PS: As long as 'every major language' can run behind Apache or
> lighttpd, each can consider REMOTE_USER (provided by mod_authn_webid)

is there a path to getting mod_authn_webid in to the main apache distro? 
this would increase the amount of hosts which can support/offer webid 

> PPS: When the implementations table fills up, lets do some
> side-by-side benchmarks!

great idea! also, has anybody looked at nginx?



More information about the foaf-protocols mailing list