PHP hackers wanted -- here's a seed
Phillip Pearson
pp at myelin.co.nz
Thu May 26 15:40:49 PDT 2005
> dsa_sign_message, sure, that's easy and you need it all the time.
>
> But why do you need create_dsa_key_pair in PHP? You only need to recreate
> your keypair once at the beginning, and only thereafter whenever you get
> hacked or paranoid. Since you have to store the keypair somewhere
> anywhere (disk, database), why not just use openssl binary, or some Perl
> script to do it, and store it? If people don't have openssl/shell access,
> your server code could require that they make a keypair on another machine
> and upload it to a special protected directory (outside the web root)
That could be done - although it's not nearly as nice as being able to
do it automatically.
> If you want to do signing in PHP, look at the latest version of Crypt::DSA
> (0.13, I believe) on CPAN. It's a pure-perl version which should be easy
> to port.
Ah, that's what I was after - thanks!
> I'd really ignore the key generation part. The pure-perl version of that
> in Crypt::DSA is really, really slow, such that it defaults to looking for
> your openssl binary unless you specify PurePerl => 1 to it. You have to
> do lots of strong random number generation, then lots of primality
> testing, both of which are hard to get right/fast.
True - but it would be *really* nice to be able to have a version of
this that is guaranteed to work on shared hosting, which might not
have the openssl binary.
I'd agree that *defaulting* to using openssl is a Good Thing, but it
would be valuable to be able to automatically generate keys without
it.
I wonder what tools are available on hosting servers that don't have
openssl. If they typically have C compilers, for example ... :-)
Cheers,
Phil
More information about the yadis
mailing list