help in understanding notary reply
20 views
Skip to first unread message
Prasanth Kumar
Jun 25, 2015, 6:15:12 AM6/25/15
to perspect...@googlegroups.com
Hi all,
I came across perspective recently and it fascinated me like anything !!!! I am trying to understand how this plugin is working, but could not come across any documentation so far. So i am posting my doubt in this forum ... hope i dont offend any one
1) when i quirey https://nine-eyes.herokuapp.com/?host=www.onlinesbi.com&port=443&service_type=2 from my browser and got the following reply
<notary_reply sig="AQ7dtbEtbv54eltO1+Vlz7Md+qL9g99otscYmI2wY/VrIYaKBG7uHYGQHOkzrgBf071hFsLV+3M0eeG/40+tDwEOMrdehWWF/g2ykXTlW+nLJgK1n1oC8mRDf/X5m85pKW4OBNk9BUxlvWGYo5kToh4B6cKlSc/TP+zS8bfMVCASjfcza79h41VWuugB6sm+rXPBBcHqDx19VHmMcajR83qgcD8ehkenyJlTVA==" sig_type="rsa-md5" version="1">
<key fp="ca:70:cf:4f:53:a3:85:f2:43:a1:b6:c2:e3:0c:8c:f9" type="ssl">
<timestamp end="1395731299" start="1353651801"/></key>
<key fp="e7:c7:57:de:0d:a7:78:62:b1:db:5f:1c:19:bb:e4:49" type="ssl">
<timestamp end="1399014788" start="1395731300"/>
<timestamp end="1401779287" start="1399187796"/>
<timestamp end="1435216148" start="1401952326"/></key>
</notary_reply>
Can any one tell me
what is the "sig" in notary reply (whether it is a signature created by notary's secret key on some field in the x509 certificate of www.onlinesbi.com)
what is fp (is this finger print any way related to some field in the x509 certificate of www.onlinesbi.com)
waht is timestamp ( is it the "from date" and "to date" the certificate is observed by the notary)
Thanks in anticipation :-)
I came across perspective recently and it fascinated me like anything !!!! I am trying to understand how this plugin is working, but could not come across any documentation so far. So i am posting my doubt in this forum ... hope i dont offend any one
1) when i quirey https://nine-eyes.herokuapp.com/?host=www.onlinesbi.com&port=443&service_type=2 from my browser and got the following reply
<notary_reply sig="AQ7dtbEtbv54eltO1+Vlz7Md+qL9g99otscYmI2wY/VrIYaKBG7uHYGQHOkzrgBf071hFsLV+3M0eeG/40+tDwEOMrdehWWF/g2ykXTlW+nLJgK1n1oC8mRDf/X5m85pKW4OBNk9BUxlvWGYo5kToh4B6cKlSc/TP+zS8bfMVCASjfcza79h41VWuugB6sm+rXPBBcHqDx19VHmMcajR83qgcD8ehkenyJlTVA==" sig_type="rsa-md5" version="1">
<key fp="ca:70:cf:4f:53:a3:85:f2:43:a1:b6:c2:e3:0c:8c:f9" type="ssl">
<timestamp end="1395731299" start="1353651801"/></key>
<key fp="e7:c7:57:de:0d:a7:78:62:b1:db:5f:1c:19:bb:e4:49" type="ssl">
<timestamp end="1399014788" start="1395731300"/>
<timestamp end="1401779287" start="1399187796"/>
<timestamp end="1435216148" start="1401952326"/></key>
</notary_reply>
Can any one tell me
what is the "sig" in notary reply (whether it is a signature created by notary's secret key on some field in the x509 certificate of www.onlinesbi.com)
what is fp (is this finger print any way related to some field in the x509 certificate of www.onlinesbi.com)
waht is timestamp ( is it the "from date" and "to date" the certificate is observed by the notary)
Thanks in anticipation :-)
Tio Oscar
Jun 25, 2015, 11:23:06 AM6/25/15
to perspect...@googlegroups.com
"sign" is the digital signature fro response validation.
Next you have the key items with th "fp" (Fingerprint) and the time ranges (in unix timestamp format) when the notary server check that key.--
You received this message because you are subscribed to the Google Groups "perspectives-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to perspectives-d...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Prasanth Kumar
Jun 26, 2015, 12:28:22 AM6/26/15
to perspect...@googlegroups.com
Hi,
Thanks for the reply. I understood sig and the time ranges (in unix timestamp format). But, I am unable to understand how fp is related to the server certificate as i could not see the fp i recieved in the notary reply any where on the server certificate.
my guess is that fp is some kind of hash on "server certificate" or server's publickey (modulus||exponenet). Please let me know if i am wrong or right. Thanks a lot.
Regards,
Prasanth Thandra
Thanks for the reply. I understood sig and the time ranges (in unix timestamp format). But, I am unable to understand how fp is related to the server certificate as i could not see the fp i recieved in the notary reply any where on the server certificate.
my guess is that fp is some kind of hash on "server certificate" or server's publickey (modulus||exponenet). Please let me know if i am wrong or right. Thanks a lot.
Regards,
Prasanth Thandra
Tio Oscar
Jun 26, 2015, 12:43:49 AM6/26/15
to perspect...@googlegroups.com
Yes, the fingerprint is basically a sum (hash) of the public certificate.
Adam Watkins
Jun 26, 2015, 12:37:14 PM6/26/15
to perspect...@googlegroups.com
It's a (MD5) digest of the DER-encoded public certificate.
I believe it's planned to transition to a SHA256 digest at some point.
I believe it's planned to transition to a SHA256 digest at some point.
Dave Schaefer
Jul 7, 2015, 11:54:21 PM7/7/15
to perspect...@googlegroups.com
Hi Prasanth, thanks for reaching out. And thanks Tio and Adam for
chiming in with very helpful replies. You are right - this should
definitely be documented somewhere more prominently. Currently there
is some sample output documented as part of the server API here -
https://github.com/danwent/Perspectives-Server/blob/master/doc/api.md
, but we should perhaps add it to the Help page and have it online.
Adam and Tio are correct - the 'fp' stands for 'fingerprint', and that
field is a hash of the website's certificate seen by a notary.
Currently the notaries only look at the 'main' end-entity or leaf
certificate for a site. This is something we would like to address in
the future - collecting data on other certificates such as resources
from a different domain[1].
As also mentioned the timestamp is a unix timestamp. The 'start'
timestamp is the first time that a notary saw the given certificate
for that site, and continued seeing it up until the 'end' timestamp.
The "sig" field is a cryptographic signature of the message the notary
sends. It is indeed created using a notary's secret key, so it can be
verified and validated by your Perspectives plugin in the browser.
Does that make sense?
As Adam points out, the fingerprints/hashes are unfortunately still
using the MD5 algorithm. We definitely want to upgrade this to SHA256;
it is on our list of priorities in the Perspectives Roadmap[2].
I hope that helps. Thanks for your interest in the project!
[1] https://github.com/danwent/Perspectives/issues/14
[2] https://github.com/danwent/Perspectives/wiki/Perspectives-Roadmap
chiming in with very helpful replies. You are right - this should
definitely be documented somewhere more prominently. Currently there
is some sample output documented as part of the server API here -
https://github.com/danwent/Perspectives-Server/blob/master/doc/api.md
, but we should perhaps add it to the Help page and have it online.
Adam and Tio are correct - the 'fp' stands for 'fingerprint', and that
field is a hash of the website's certificate seen by a notary.
Currently the notaries only look at the 'main' end-entity or leaf
certificate for a site. This is something we would like to address in
the future - collecting data on other certificates such as resources
from a different domain[1].
As also mentioned the timestamp is a unix timestamp. The 'start'
timestamp is the first time that a notary saw the given certificate
for that site, and continued seeing it up until the 'end' timestamp.
The "sig" field is a cryptographic signature of the message the notary
sends. It is indeed created using a notary's secret key, so it can be
verified and validated by your Perspectives plugin in the browser.
Does that make sense?
As Adam points out, the fingerprints/hashes are unfortunately still
using the MD5 algorithm. We definitely want to upgrade this to SHA256;
it is on our list of priorities in the Perspectives Roadmap[2].
I hope that helps. Thanks for your interest in the project!
[1] https://github.com/danwent/Perspectives/issues/14
[2] https://github.com/danwent/Perspectives/wiki/Perspectives-Roadmap
Reply all
Reply to author
Forward
0 new messages