crschmidt at crschmidt.net
Tue May 17 10:03:41 PDT 2005
On Tue, May 17, 2005 at 09:35:04AM -0700, Brad Fitzpatrick wrote:
> On Tue, 17 May 2005, Richard 'toast' Russo wrote:
> > On Tue, 17 May 2005, Christopher Schmidt wrote:
> > > I'm not quite sure how I'm supposed to decrypt the DSA signature that
> > > LiveJournal's Yadis server returns: I tried importing the sig into GPG,
> > > to do it that way, but it seems that the public key that LiveJournal
> > > exports is not valid. I'm not really sure if it's important, either,
> > > unless I'm concerned about man-in-the-middle attacks, since the identity
> > > server must preserve arguments, and I can just pass an argument with the
> > > original URI along.
> > >
> > If you don't check the signature, it would be trivially easy for the man
> > in the middle to be a 'rogue' browser. The singature (and key exchange)
> > is the only thing that lets you know for sure the other server validated
> > the request.
I suppose I was depending on the referer being accurate, which doesn't
make any sense, you're right.
> I think his question is regarding the format I'm sending it back in:
> base64(r) ":" base64(s)
> I just mimiced TypeKey here. But I already differentiated in that
> TypeKey's public keys is at:
> (decimal integer literals for p, g, q, pubkey)
> Whereas Yadis defines it to be _mode=getpubkey from the authentication
My biggest problem with this public key is that I have no idea what it
client use it at all in a way that I could refer to?
A client implementation which uses this in a commented-up form would be
understand it, and there's no other code available that I can find.
> In PEM format. (some ASN.1/DER encoding?)
> So perhaps the "assert_foaf" parameter returned by a Yadis server
> should be in base64(ASN.1/DER) like the getpubkey is. What is the
> canonical representation of a DSA signature? I don't know.
I don't know anything about DSA, so I'm hardly an expert. Just looking
for an example of what I'm supposed to do :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.danga.com/pipermail/yadis/attachments/20050517/62f82fe6/attachment.pgp
More information about the yadis