Yadis Examples
Brad Fitzpatrick
brad at danga.com
Tue May 17 09:35:04 PDT 2005
On Tue, 17 May 2005, Richard 'toast' Russo wrote:
> On Tue, 17 May 2005, Christopher Schmidt wrote:
>
> > I'm not quite sure how I'm supposed to decrypt the DSA signature that
> > LiveJournal's Yadis server returns: I tried importing the sig into GPG,
> > to do it that way, but it seems that the public key that LiveJournal
> > exports is not valid. I'm not really sure if it's important, either,
> > unless I'm concerned about man-in-the-middle attacks, since the identity
> > server must preserve arguments, and I can just pass an argument with the
> > original URI along.
> >
> If you don't check the signature, it would be trivially easy for the man
> in the middle to be a 'rogue' browser. The singature (and key exchange)
> is the only thing that lets you know for sure the other server validated
> the request.
I think his question is regarding the format I'm sending it back in:
base64(r) ":" base64(s)
I just mimiced TypeKey here. But I already differentiated in that
TypeKey's public keys is at:
http://www.typekey.com/extras/regkeys.txt
(decimal integer literals for p, g, q, pubkey)
Whereas Yadis defines it to be _mode=getpubkey from the authentication
endpoint:
http://www.livejournal.com/misc/yadis.bml?_mode=getpubkey
In PEM format. (some ASN.1/DER encoding?)
So perhaps the "assert_foaf"[1] parameter returned by a Yadis server
should be in base64(ASN.1/DER) like the getpubkey is. What is the
canonical representation of a DSA signature? I don't know.
- Brad
More information about the yadis
mailing list