Complete worked example?
Paul Crowley
paul at ciphergoth.org
Sat Jun 11 05:13:12 PDT 2005
I know that more than one of you are working on implementations of the
evolving standard. One thing that might be a useful step towards
interoperability would be a complete worked example of an example user
logging onto an example server, with byte-for-byte wire formats
available for download. This would mean it was possible for
implementors to make sure that all sorts of things were got right. As
well as including what's sent on the wire, the example should include
intermediary steps such as: the raw MAC key, the token at the point that
it's MACced, the private Diffie-Hellman values (as decimal and as raw
binary) and so forth.
Here's some things an implementor could get wrong that an example would
clarify:
* wrong representation of integers in the Diffie-Hellman stuff: wrong
endianness, wrong representation of "high-bit" integers (ie those whose
representation should start with a zero byte so that they are
interpreted as positive), wrong base64 encoding.
* hashing the wrong thing in D-H, eg hashing the Base64 encoding rather
than the raw binary integer
* XORing the wrong thing, eg the Base64 encoding
* secrets that are the wrong length
* GETting when you should POST
* failing to decode the MAC key before using it
* formatting the thing to be signed wrongly, eg newline separation
rather than newline termination, or including whitespace other than newlines
* not including the return URL correctly
* not redirecting correctly
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list