well noticed.
On 27 October 2010 00:46, Mike Macgirvin <mi...@macgirvin.com> wrote:
> During some of my compatibility testing w/mistpark, I've discovered
> that several projects are using incorrect implementations of salmon
> magic signatures. In fact, I have not yet found one that is
> compliant.
If I'm not mistaken, this one should be working by the spec:
http://www.madebymonsieur.com/ostatus_discovery/magic_env/readme
I also send you, Mike, a salmon message. Your server replied
successfully at least. Did you receive it?
On 27 October 2010 00:46, Mike Macgirvin <mi...@macgirvin.com> wrote:
> This creates a huge mess because one must send two slaps to each of
> these providers - the first using the correct implementation, and then
> if that fails - repeat using the incorrect format. These have to be
> verified in the same way, falling back to the incorrect format if the
> correct one fails.
True. It's quite a pain in the ...
On 27 October 2010 00:46, Mike Macgirvin <mi...@macgirvin.com> wrote:
> Unfortunately, this means that each of you who wishes to provide
> federated services must also implement this duplication of effort
> until such time as everybody has upgraded and the broken
> implementations begin to fade from existence (this could take a few
> years - which is why everybody needs to start fixing it today(!)).
I think it's just matter of when status.net's implementation is
"fixed". It seems to have the same signing fault as well. Deeply sorry
if I'm wrong.
So in other words, I remove my implementation's "fallback to wrong
signing" as soon as identi.ca is "fixed".
Cheers,
--
Tuomas
If you received a 200 reply the signature verified. Mistpark does not
accept unsolicited messages from the wild (with the exception of
"follow" activities), but it will indicate that the message was received
intact - or throw a 4xx error if the verification failed.
> I think it's just matter of when status.net's implementation is
> "fixed". It seems to have the same signing fault as well.
You're certainly optimistic. There's usually an uncomfortable time lag
between "fixed" and "widely deployed".
On Tue, Oct 26, 2010 at 6:46 PM, Mike Macgirvin <mi...@macgirvin.com> wrote:
> During some of my compatibility testing w/mistpark, I've discovered
> that several projects are using incorrect implementations of salmon
> magic signatures. In fact, I have not yet found one that is
> compliant.
It's true, the signing message format has changed (I apparently missed
it getting promoted from 'experimental').
> This creates a huge mess because one must send two slaps to each of
> these providers - the first using the correct implementation, and then
> if that fails - repeat using the incorrect format. These have to be
> verified in the same way, falling back to the incorrect format if the
> correct one fails.
>
> Unfortunately, this means that each of you who wishes to provide
> federated services must also implement this duplication of effort
> until such time as everybody has upgraded and the broken
> implementations begin to fade from existence (this could take a few
> years - which is why everybody needs to start fixing it today(!)).
Agreed it's a hassle, but it's the nature of the beast when
implementing draft specs that are still under heavy revision. I
believe Salmon is getting "real close now"(tm) - but I'll let John
provide official word there.
That said, I can speak for StatusNet and say - thanks for bringing
this to our attention, I'll be rolling out a fix ASAP.
> The crux of the problem is in section 8 of draft-panzer-magicsig-00
> (section 9.1 if you're working off the trunk).
>
> The implementations I've encountered are only signing the
> base64url_encoded data itself. The correct method is to append the
> string ".YXBwbGljYXRpb24vYXRvbSt4bWw=.YmFzZTY0dXJs.UlNBLVNIQTI1Ng=="
> to the armoured data and use that both for signing and verification.
> (This is a simplification, you should calculate this string yourself
> to allow for future revisions).
>
Good catch. Thanks again!
--
James Walker :: http://walkah.net/ :: http://james.status.net/
That pretty well sums it up for me. With all due respects John - salmon
magic envelopes already require the addition of a lot of bloat to
support its unique way of doing things - at least on the php platform.
I understand the reasoning and appreciate the mechanisms. But couldn't
some of this stuff be done with standard libraries and not require
special salmon flavours of everything (e.g. encryption libs, key
formats, base64 encoders, etc.)?
-- Regards, Kingsley Idehen President & CEO OpenLink Software Web: http://www.openlinksw.com Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca: kidehen
Plenty - but that's PHP's problem ... lack of quality libraries. (imnsho).
That said - it was an issue when we first started implementing salmon,
but the phpseclib library that StatusNet is using has proven to be
reliable since. Thought, the PHP gmp extension makes a *world* of
difference for performance (but that's true of *any* crypto -
diffe-hellman for openid, et al has the same issue).
I think the only "non standard" bit is the base64url encoding but it's
a single line to implement in PHP on top of the standard
base64_encode/decode.
> (Note that the reason for not requiring certificates, and using a simple RSA
> keypair format, is that you end up needing to install compiled C libraries
> to parse ASN.1 stuff for a lot (all?) non-Java languages, which in some
> environments is a nonstarter.)
>
> --
> John Panzer / Google
> jpa...@google.com / abstractioneer.org / @jpanzer
>
>
> On Fri, Oct 29, 2010 at 2:27 PM, Mike Macgirvin <mi...@macgirvin.com> wrote:
>>>
>>> Cons: Nonstandard
>>
>> That pretty well sums it up for me. With all due respects John - salmon
>> magic envelopes already require the addition of a lot of bloat to support
>> its unique way of doing things - at least on the php platform.
>>
>> I understand the reasoning and appreciate the mechanisms. But couldn't
>> some of this stuff be done with standard libraries and not require special
>> salmon flavours of everything (e.g. encryption libs, key formats, base64
>> encoders, etc.)?
>>
>
>
--
On Fri, Oct 29, 2010 at 6:00 PM, John Panzer <jpa...@google.com> wrote:Plenty - but that's PHP's problem ... lack of quality libraries. (imnsho).
> We're using bog-standard encryption libraries for RSA-SHA256. I'm curious
> as to what encryption problems PHP brings to the table?
That said - it was an issue when we first started implementing salmon,
but the phpseclib library that StatusNet is using has proven to be
reliable since. Thought, the PHP gmp extension makes a *world* of
difference for performance (but that's true of *any* crypto -
diffe-hellman for openid, et al has the same issue).
I think the only "non standard" bit is the base64url encoding but it's
a single line to implement in PHP on top of the standard
base64_encode/decode.
That said, I can speak for StatusNet and say - thanks for bringing this to our attention, I'll be rolling out a fix ASAP.
|
Evan Prodromou, CEO StatusNet Inc., 1124 rue Marie-Anne Est #32, Montreal, QC H2J 2T5 T: 438-380-4801 x101 C: 514-554-3826 W: http://evan.status.net/ E: ev...@status.net |