Yadis Examples

Christopher Schmidt crschmidt at crschmidt.net
Tue May 17 10:03:41 PDT 2005 

On Tue, May 17, 2005 at 09:35:04AM -0700, Brad Fitzpatrick wrote:
> 
> On Tue, 17 May 2005, Richard 'toast' Russo wrote:
> 
> > On Tue, 17 May 2005, Christopher Schmidt wrote:
> >
> > > I'm not quite sure how I'm supposed to decrypt the DSA signature that
> > > LiveJournal's Yadis server returns: I tried importing the sig into GPG,
> > > to do it that way, but it seems that the public key that LiveJournal
> > > exports is not valid. I'm not really sure if it's important, either,
> > > unless I'm concerned about man-in-the-middle attacks, since the identity
> > > server must preserve arguments, and I can just pass an argument with the
> > > original URI along.
> > >
> > If you don't check the signature, it would be trivially easy for the man
> > in the middle to be a 'rogue' browser.  The singature (and key exchange)
> > is the only thing that lets you know for sure the other server validated
> > the request.

I suppose I was depending on the referer being accurate, which doesn't
make any sense, you're right.

> I think his question is regarding the format I'm sending it back in:
> 
>    base64(r) ":" base64(s)
> 
> I just mimiced TypeKey here.  But I already differentiated in that
> TypeKey's public keys is at:
> 
>     http://www.typekey.com/extras/regkeys.txt
> 
> (decimal integer literals for p, g, q, pubkey)
> 
> Whereas Yadis defines it to be _mode=getpubkey from the authentication
> endpoint:
> 
>     http://www.livejournal.com/misc/yadis.bml?_mode=getpubkey

My biggest problem with this public key is that I have no idea what it
is, or what I'm supposed to do with it. Does the Javascript example
client use it at all in a way that I could refer to?

A client implementation which uses this in a commented-up form would be
useful: I tried to use the javascript as an example, but I didn't
understand it, and there's no other code available that I can find.

> In PEM format.  (some ASN.1/DER encoding?)
> 
> So perhaps the "assert_foaf"[1] parameter returned by a Yadis server
> should be in base64(ASN.1/DER) like the getpubkey is.  What is the
> canonical representation of a DSA signature?  I don't know.

I don't know anything about DSA, so I'm hardly an expert. Just looking
for an example of what I'm supposed to do :)

-- 
Christopher Schmidt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.danga.com/pipermail/yadis/attachments/20050517/62f82fe6/attachment.pgp

More information about the yadis mailing list