Yadis Examples

Brad Fitzpatrick brad at danga.com
Tue May 17 09:35:04 PDT 2005


On Tue, 17 May 2005, Richard 'toast' Russo wrote:

> On Tue, 17 May 2005, Christopher Schmidt wrote:
>
> > I'm not quite sure how I'm supposed to decrypt the DSA signature that
> > LiveJournal's Yadis server returns: I tried importing the sig into GPG,
> > to do it that way, but it seems that the public key that LiveJournal
> > exports is not valid. I'm not really sure if it's important, either,
> > unless I'm concerned about man-in-the-middle attacks, since the identity
> > server must preserve arguments, and I can just pass an argument with the
> > original URI along.
> >
> If you don't check the signature, it would be trivially easy for the man
> in the middle to be a 'rogue' browser.  The singature (and key exchange)
> is the only thing that lets you know for sure the other server validated
> the request.

I think his question is regarding the format I'm sending it back in:

   base64(r) ":" base64(s)

I just mimiced TypeKey here.  But I already differentiated in that
TypeKey's public keys is at:

    http://www.typekey.com/extras/regkeys.txt

(decimal integer literals for p, g, q, pubkey)

Whereas Yadis defines it to be _mode=getpubkey from the authentication
endpoint:

    http://www.livejournal.com/misc/yadis.bml?_mode=getpubkey

In PEM format.  (some ASN.1/DER encoding?)

So perhaps the "assert_foaf"[1] parameter returned by a Yadis server
should be in base64(ASN.1/DER) like the getpubkey is.  What is the
canonical representation of a DSA signature?  I don't know.

- Brad



More information about the yadis mailing list