hypercat-sig
4 views
Skip to first unread message
Toby Jaffey
Dec 14, 2015, 6:34:14 AM12/14/15
to hype...@googlegroups.com
As a demonstration of signing HyperCat catalogues, we have developed hypercat-sig.
The project allows generating and verifying a digital signature, held in catalogue metadata.
https://github.com/HyperCatIoT/hypercat-sig
--
The project allows generating and verifying a digital signature, held in catalogue metadata.
https://github.com/HyperCatIoT/hypercat-sig
--
Golby, David (UK)
Dec 14, 2015, 6:51:09 AM12/14/15
to hype...@googlegroups.com
Hi Toby
This is interesting news. However, given that I have a Java-based web application that hosts my HyperCat catalog I need to understand what I would need to do in order to sign it with the JavaScript code that you provide...
Can this JavaScript be used in a Java web application at some level? If so what steps do I need to take in order to do this? For instance I could intercept the HTTP Response where the main HyperCat data is stored and sign it there, but this requires me to somehow activate a JavaScript engine and loading the JavaScript and catalog text into it.
I have never done this sort of thing before, but is what I describe above possible and if it is do you have pointers to examples where it is done?
Any info would be appreciated.
David
-----Original Message-----
From: hype...@googlegroups.com [mailto:hype...@googlegroups.com] On Behalf Of Toby Jaffey
Sent: 14 December 2015 11:34
To: hype...@googlegroups.com
Subject: hypercat-sig
----------------------! WARNING ! ---------------------- This message originates from outside our organisation, either from an external partner or from the internet.
Consider carefully whether you should click on any links, open any attachments or reply.
Follow the 'Report Suspicious Emails' link on IT matters for instructions on reporting suspicious email messages.
--------------------------------------------------------
--
You received this message because you are subscribed to the Google Groups "HyperCat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hypercat+u...@googlegroups.com.
To post to this group, send an email to hype...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/hypercat/2AC664CE-5DA3-420B-AB75-5846CA32E60D%401248.io.
For more options, visit https://groups.google.com/d/optout.
********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************
This is interesting news. However, given that I have a Java-based web application that hosts my HyperCat catalog I need to understand what I would need to do in order to sign it with the JavaScript code that you provide...
Can this JavaScript be used in a Java web application at some level? If so what steps do I need to take in order to do this? For instance I could intercept the HTTP Response where the main HyperCat data is stored and sign it there, but this requires me to somehow activate a JavaScript engine and loading the JavaScript and catalog text into it.
I have never done this sort of thing before, but is what I describe above possible and if it is do you have pointers to examples where it is done?
Any info would be appreciated.
David
-----Original Message-----
From: hype...@googlegroups.com [mailto:hype...@googlegroups.com] On Behalf Of Toby Jaffey
Sent: 14 December 2015 11:34
To: hype...@googlegroups.com
Subject: hypercat-sig
----------------------! WARNING ! ---------------------- This message originates from outside our organisation, either from an external partner or from the internet.
Consider carefully whether you should click on any links, open any attachments or reply.
Follow the 'Report Suspicious Emails' link on IT matters for instructions on reporting suspicious email messages.
--------------------------------------------------------
You received this message because you are subscribed to the Google Groups "HyperCat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hypercat+u...@googlegroups.com.
To post to this group, send an email to hype...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/hypercat/2AC664CE-5DA3-420B-AB75-5846CA32E60D%401248.io.
For more options, visit https://groups.google.com/d/optout.
********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************
Toby Jaffey
Dec 14, 2015, 8:45:15 AM12/14/15
to hype...@googlegroups.com
On 14 Dec 2015, at 11:51, Golby, David (UK) <david...@baesystems.com> wrote:
> Hi Toby
>
> This is interesting news. However, given that I have a Java-based web application that hosts my HyperCat catalog I need to understand what I would need to do in order to sign it with the JavaScript code that you provide...
>
> Can this JavaScript be used in a Java web application at some level?
In theory, you could use something like Rhino to run the JavaScript in Java, but that would be overkill.
> If so what steps do I need to take in order to do this? For instance I could intercept the HTTP Response where the main HyperCat data is stored and sign it there, but this requires me to somehow activate a JavaScript engine and loading the JavaScript and catalog text into it.
>
> I have never done this sort of thing before, but is what I describe above possible and if it is do you have pointers to examples where it is done?
--
Sam Mulube
Dec 14, 2015, 10:40:42 AM12/14/15
to hype...@googlegroups.com
Hey Toby,
looks interesting.
I know it's just a demo/proof of concept, but do you think it's potentially a problem to include the publisher's public key directly into the signed catalogue?
I feel like just by having it there, there might be a temptation for a client to use that copy of the public key for verification rather than having to go through the hassle of obtaining it via some other trusted channel. If a client did do that then wouldn't it be trivial for a MITM attacker to publish a malicious catalogue signed by their own key pair and so bypass the security of the signed catalogue?
I might be misunderstanding things, as I'm not a crypto expert by any means, but if the above scenario would be a problem, then wouldn't it be better to remove that potential pitfall by not including the public key in the signed catalogue and making it explicit that it must be obtained by other means?
Toby Jaffey
Dec 14, 2015, 11:05:21 AM12/14/15
to hype...@googlegroups.com
On 14 Dec 2015, at 15:40, Sam Mulube <s...@thingful.net> wrote:
> I know it's just a demo/proof of concept, but do you think it's potentially a problem to include the publisher's public key directly into the signed catalogue?
You're absolutely right that the public key in the catalogue should not be trusted without verification, but this is the nature of PKI.
It's critical that users validate the public keys, through a fingerprint, key server, CA or other chain of trust mechanism.
We could replace that key with a signed certificate, but there's a cost to getting going.
> I might be misunderstanding things, as I'm not a crypto expert by any means, but if the above scenario would be a problem, then wouldn't it be better to remove that potential pitfall by not including the public key in the signed catalogue and making it explicit that it must be obtained by other means?
I think that's worth it at the moment.
--
john.nj...@bt.com
Dec 14, 2015, 11:06:50 AM12/14/15
to hype...@googlegroups.com
"enough rope to shoot yourself in the foot"
I thought you'd need a gun for that...... ;-)
-----Original Message-----
From: hype...@googlegroups.com [mailto:hype...@googlegroups.com] On Behalf Of Toby Jaffey
--
You received this message because you are subscribed to the Google Groups "HyperCat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hypercat+u...@googlegroups.com.
To post to this group, send an email to hype...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/hypercat/35AC159B-2BE5-4277-A773-3606341E0705%401248.io.
You received this message because you are subscribed to the Google Groups "HyperCat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hypercat+u...@googlegroups.com.
To post to this group, send an email to hype...@googlegroups.com.
Dritan Kaleshi
Dec 14, 2015, 11:21:00 AM12/14/15
to hype...@googlegroups.com
> "enough rope to shoot yourself in the foot"
> I thought you'd need a gun for that...... ;-)
Not in HyperCat reality, you don¹t Š ;-)
> I thought you'd need a gun for that...... ;-)
--
Dr Dritan Kaleshi
5G Fellow
Mob: +44 (0) 7584 075 686
Email: dritan....@cde.catapult.org.uk
Twitter: @DritanKaleshi <https://twitter.com/DritanKaleshi>
Digital Catapult Centre | 101 Euston Road | London | NW1 2RA
@DigiCatapult | cde.catapult.org.uk
On 14/12/2015 16:06, "hype...@googlegroups.com on behalf of
john.nj...@bt.com" <hype...@googlegroups.com on behalf of
>b%40rew09926dag10c.domain1.systemhost.net.
Reply all
Reply to author
Forward
0 new messages