Complete worked example?

Paul Crowley paul at ciphergoth.org
Sat Jun 11 05:13:12 PDT 2005


I know that more than one of you are working on implementations of the 
evolving standard.  One thing that might be a useful step towards 
interoperability would be a complete worked example of an example user 
logging onto an example server, with byte-for-byte wire formats 
available for download.  This would mean it was possible for 
implementors to make sure that all sorts of things were got right.  As 
well as including what's sent on the wire, the example should include 
intermediary steps such as: the raw MAC key, the token at the point that 
it's MACced, the private Diffie-Hellman values (as decimal and as raw 
binary) and so forth.

Here's some things an implementor could get wrong that an example would 
clarify:

* wrong representation of integers in the Diffie-Hellman stuff: wrong 
endianness, wrong representation of "high-bit" integers (ie those whose 
representation should start with a zero byte so that they are 
interpreted as positive), wrong base64 encoding.

* hashing the wrong thing in D-H, eg hashing the Base64 encoding rather 
than the raw binary integer

* XORing the wrong thing, eg the Base64 encoding

* secrets that are the wrong length

* GETting when you should POST

* failing to decode the MAC key before using it

* formatting the thing to be signed wrongly, eg newline separation 
rather than newline termination, or including whitespace other than newlines

* not including the return URL correctly

* not redirecting correctly
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/


More information about the yadis mailing list