World: r3wp

Thanks !

We did signing for SurfNet's Stunnel-in-a-box project.

It does not help anyone, if not in rebol directly, that is the point 
...

if that was the case, then we'd need to have everything built in. 
do we want ajax js libraries built in because it does not help anyone 
if cgi authors have to pick them themselves?

then you misunderstand, what is important, and what is not.

today's sw world, distributed, without signatures? The thing is, 
someone from RT confirmed that the stuff is inside, just not exposed. 
And that is waste of resources. So - expose them.

signatures - rebol has that built in. is called rsa encryption

parsing of some file format - that you can do yoursef.

it's not like jpeg decoding that has to be done in c for speed.

how do I choose windows installed certificate? :-)

then you misunderstand, what is important, and what is not.

 -- I think Gabriele misunderstands very little. :-) The thing is, 
 it's all about compromises. What is important to you might not be 
 important to me at all, and vice versa. So how do you choose what 
 to include, and how big is too big for REBOL to be? 


If something is wanted and needed by 80% of the community, or 0.1% 
that's doing something really important, those are easier calls to 
make. Many features have doubtful value to at least some people, 
but we can't use those as justification for adding other things of 
doubtful value. So, I want a good voting system, and tracking for 
new community mezz funcs, to see what gets used the most; what people 
want and need.


That said, I think security is so important now that anything we 
can do to make REBOL a better tool for writing secure systems is 
a good thing.

But I am not talking about new features at all. Someone said, that 
Core contains certificates handling already, which means, even parsing? 
It is the same situation, how Rebol contained internally convolve 
function, which was just not exposed. So, we are talking nearly zero 
addition to Rebol. And not having certificates handling in rebol 
directly is what actually stopped rebol plug-in. If I'll see some 
reblet signed from Gregg, I will not think any second to just press 
"Run". 


I am not now opting for the particular functionality - my question 
was more general. Plug-in development stopped, because Josh stated, 
that he is working on soon-to-be-released new schema for Rebol security. 
We all knew how it would end, and we were not wrong. That is exactly 
the reason, why I ask - there is no plug-in, without the security. 
And plug-in is imo very crucial product now.

Forget certificates right now, before we enter another pointless 
discussion. The thing is, that I believe RT regards reblet signing 
important thing, and that it will come. If it is not part of the 
system, noone will do it, period. The same reason, why RT pushes 
for rebservices - it will be standard without any need for further 
discussion, if we do it this way, or that way ...

you're still confusing signing with certificates. the ssl module 
certainly has to parse certs in the ssl handshake. but that does 
not mean that it will parse any cert file format. and, there are 
many. but... even if it was exposed, what would it save you? three 
lines of parse?

I am not sure I am confusing anything. If it is not there, then it 
is not there. I can give an example - Bobik - he left rebol, because 
of our often claims, that we can do anything. But he is looking for 
the end user tool. He does not want to code mySQL driver himself, 
he wants to use one. So, if you will have website with rebol features, 
what will be your answer to following bullet:

certificates support: 


Yes, or no? Am I able to easily send rebol email, signed, which displays 
in Thunderbird or Outlook, as signed? Am I able to choose from centrally 
installed certificates in Windows certificate container? That is 
my point. So - if it is only 3 lines of code, just take a note, and 
when RT will be thinking of security/privacy issues, please count 
such things in?

send signed email - yes you can do that. does it need to be in send? 
should send also handle return receipts? should it handle gmail apis? 
should it handle exchange servers? where do we stop?

windows cert container - why should rebol even bother about that? 
that's something that 1% of rebolers would maybe need once in their 
life

Do you actually follow corporate environment?

petr, corporate environment means that we should provide 6 dvds of 
rebol ide

we don't want to go there. we want to provide specific solutions, 
not buzzwords

Because last year, I was asking about certificates. There was a possibility 
for me, to have small rebol app, which securely sends and checks 
documents. It could be used for invoices exchange. I stopped because 
noone was able to point me out, how should I check for signatures.

that does not stop you from providing the buzzwords

the detective only executes signed code. the code for that is available.

now is it cert parsing that you want or signing? signing is explained 
on rebol.com

Whereas guys from Delphi crowd were able to do that. Now you can 
blame me, that I was not able to make it. REBOL nor its community 
did not work as enabler for me here. And I can see only one sensible 
way to avoid that in the future - projects domain, bounty system 
...

and worst case - why not use CALL to call openssl??

cert parsing

stopping a project because of that does not seem rebol fault to me.

cert parsing - how much time would have that been? one day? two days? 
if you save a month by using rebol, then what's the problem with 
two days?

stopping the project, because Delphi guys had libraries at hand, 
whereas I could not find examples of how to utilise certificates.

otherwise, if you don't save time, just go with delphi - what's the 
problem? we can't possibly do everything for everyone.

Gabriele - you constantly provide the same picture, and if we guys 
don't change attitude, we will not get new ppl attracted.

You could do that in one hour, for me - I did not find any help, 
and it was show stopper for me.

we don't want to turn into perl, that's my only concern. otherwise 
we'd just go to perl and have all the new people you want.

good design is about what to leave out.

now... why not having x509 parsing in rebol? that's surely possible 
and probably a good thing to do. but, tomorrow you'll find something 
else that's missing.

so, nothing really would change.

I remember exactly the same discussions when Terry was proposing 
RASH - we claimed we could do everything Flash can. Yes, in teory. 
But there is many ppl, who look for new tools in internet era. Some 
of them, don't want to code drivers etc. themself. In fact - they 
choose upon what is available. To avoid this situation, I propose 
bounty system, it would be vital. So guy like me could take some 
money and sponsor some development.

it's not like adding x509 parsing changes the world.

expecially since someone may not be using x509 at all

Ah, so you talk all the time, if something should be part of "standard" 
rebol or not? Well, that is misunderstanding. I don't require something 
to be included. I am ok with extensions, libraries.

and why should RT write all the libraries?

if i needed that really quick, i would just CALL openssl

[giesse-:-batou]:/etc/ssl/certs$ openssl x509 -text -in Visa_eCommerce_Root.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, O=VISA, OU=Visa International Service Association, 
        CN=Visa eCommerce Root
        Validity
            Not Before: Jun 26 02:18:36 2002 GMT
            Not After : Jun 24 00:16:12 2022 GMT

        Subject: C=US, O=VISA, OU=Visa International Service Association, 
        CN=Visa eCommerce Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:af:57:de:56:1e:6e:a1:da:60:b1:94:27:cb:17:
                    db:07:3f:80:85:4f:c8:9c:b6:d0:f4:6f:4f:cf:99:
                    d8:e1:db:c2:48:5c:3a:ac:39:33:c7:1f:6a:8b:26:
                    3d:2b:35:f5:48:b1:91:c1:02:4e:04:96:91:7b:b0:
                    33:f0:b1:14:4e:11:6f:b5:40:af:1b:45:a5:4a:ef:
                    7e:b6:ac:f2:a0:1f:58:3f:12:46:60:3c:8d:a1:e0:
                    7d:cf:57:3e:33:1e:fb:47:f1:aa:15:97:07:55:66:
                    a5:b5:2d:2e:d8:80:59:b2:a7:0d:b7:46:ec:21:63:
                    ff:35:ab:a5:02:cf:2a:f4:4c:fe:7b:f5:94:5d:84:
                    4d:a8:f2:60:8f:db:0e:25:3c:9f:73:71:cf:94:df:
                    4a:ea:db:df:72:38:8c:f3:96:bd:f1:17:bc:d2:ba:
                    3b:45:5a:c6:a7:f6:c6:17:8b:01:9d:fc:19:a8:2a:
                    83:16:b8:3a:48:fe:4e:3e:a0:ab:06:19:e9:53:f3:
                    80:13:07:ed:2d:bf:3f:0a:3c:55:20:39:2c:2c:00:
                    69:74:95:4a:bc:20:b2:a9:79:e5:18:89:91:a8:dc:
                    1c:4d:ef:bb:7e:37:0b:5d:fe:39:a5:88:52:8c:00:
                    6c:ec:18:7c:41:bd:f6:8b:75:77:ba:60:9d:84:e7:
                    fe:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:

                15:38:83:0F:3F:2C:3F:70:33:1E:CD:46:FE:07:8C:20:E0:D7:C3:B7
    Signature Algorithm: sha1WithRSAEncryption
        5f:f1:41:7d:7c:5c:08:b9:2b:e0:d5:92:47:fa:67:5c:a5:13:
        c3:03:21:9b:2b:4c:89:46:cf:59:4d:c9:fe:a5:40:b6:63:cd:
        dd:71:28:95:67:11:cc:24:ac:d3:44:6c:71:ae:01:20:6b:03:
        a2:8f:18:b7:29:3a:7d:e5:16:60:53:78:3c:c0:af:15:83:f7:
        8f:52:33:24:bd:64:93:97:ee:8b:f7:db:18:a8:6d:71:b3:f7:
        2c:17:d0:74:25:69:f7:fe:6b:3c:94:be:4d:4b:41:8c:4e:e2:
        73:d0:e3:90:22:73:43:cd:f3:ef:ea:73:ce:45:8a:b0:a6:49:
        ff:4c:7d:9d:71:88:c4:76:1d:90:5b:1d:ee:fd:cc:f7:ee:fd:
        60:a5:b1:7a:16:71:d1:16:d0:7c:12:3c:6c:69:97:db:ae:5f:
        39:9a:70:2f:05:3c:19:46:04:99:20:36:d0:60:6e:61:06:bb:
        16:42:8c:70:f7:30:fb:e0:db:66:a3:00:01:bd:e6:2c:da:91:
        5f:a0:46:8b:4d:6a:9c:3d:3d:dd:05:46:fe:76:bf:a0:0a:3c:
        e4:00:e6:27:b7:ff:84:2d:de:ba:22:27:96:10:71:eb:22:ed:
        df:df:33:9c:cf:e3:ad:ae:8e:d4:8e:e6:4f:51:af:16:92:e0:
        5c:f6:07:0f

how much would it take to extract the key and signature from that?

having more time, i'd just study the binary file format and parse 
it myself. i don't see any show-stopper.

but again, assume this was built in, or available as library from 
rt. you would simply find something else that is not built in and 
complain about that :)

Where were you when I needed the help? :-)

any word on library access for R3.. is it free now?

otherwise CALL is the only way to go