PHP hackers wanted -- here's a seed

[Phillip Pearson]

> dsa_sign_message, sure, that's easy and you need it all the time.
> 
> But why do you need create_dsa_key_pair in PHP?  You only need to recreate
> your keypair once at the beginning, and only thereafter whenever you get
> hacked or paranoid.  Since you have to store the keypair somewhere
> anywhere (disk, database), why not just use openssl binary, or some Perl
> script to do it, and store it?  If people don't have openssl/shell access,
> your server code could require that they make a keypair on another machine
> and upload it to a special protected directory (outside the web root)

That could be done - although it's not nearly as nice as being able to
do it automatically.

> If you want to do signing in PHP, look at the latest version of Crypt::DSA
> (0.13, I believe) on CPAN.  It's a pure-perl version which should be easy
> to port.

Ah, that's what I was after - thanks!

> I'd really ignore the key generation part.  The pure-perl version of that
> in Crypt::DSA is really, really slow, such that it defaults to looking for
> your openssl binary unless you specify PurePerl => 1 to it.  You have to
> do lots of strong random number generation, then lots of primality
> testing, both of which are hard to get right/fast.

True - but it would be *really* nice to be able to have a version of
this that is guaranteed to work on shared hosting, which might not
have the openssl binary.

I'd agree that *defaulting* to using openssl is a Good Thing, but it
would be valuable to be able to automatically generate keys without
it.

I wonder what tools are available on hosting servers that don't have
openssl.  If they typically have C compilers, for example ... :-)

Cheers,
Phil