World: r3wp

petr, corporate environment means that we should provide 6 dvds of 
rebol ide

we don't want to go there. we want to provide specific solutions, 
not buzzwords

Because last year, I was asking about certificates. There was a possibility 
for me, to have small rebol app, which securely sends and checks 
documents. It could be used for invoices exchange. I stopped because 
noone was able to point me out, how should I check for signatures.

that does not stop you from providing the buzzwords

the detective only executes signed code. the code for that is available.

now is it cert parsing that you want or signing? signing is explained 
on rebol.com

Whereas guys from Delphi crowd were able to do that. Now you can 
blame me, that I was not able to make it. REBOL nor its community 
did not work as enabler for me here. And I can see only one sensible 
way to avoid that in the future - projects domain, bounty system 
...

and worst case - why not use CALL to call openssl??

cert parsing

stopping a project because of that does not seem rebol fault to me.

cert parsing - how much time would have that been? one day? two days? 
if you save a month by using rebol, then what's the problem with 
two days?

stopping the project, because Delphi guys had libraries at hand, 
whereas I could not find examples of how to utilise certificates.

otherwise, if you don't save time, just go with delphi - what's the 
problem? we can't possibly do everything for everyone.

Gabriele - you constantly provide the same picture, and if we guys 
don't change attitude, we will not get new ppl attracted.

You could do that in one hour, for me - I did not find any help, 
and it was show stopper for me.

we don't want to turn into perl, that's my only concern. otherwise 
we'd just go to perl and have all the new people you want.

good design is about what to leave out.

now... why not having x509 parsing in rebol? that's surely possible 
and probably a good thing to do. but, tomorrow you'll find something 
else that's missing.

so, nothing really would change.

I remember exactly the same discussions when Terry was proposing 
RASH - we claimed we could do everything Flash can. Yes, in teory. 
But there is many ppl, who look for new tools in internet era. Some 
of them, don't want to code drivers etc. themself. In fact - they 
choose upon what is available. To avoid this situation, I propose 
bounty system, it would be vital. So guy like me could take some 
money and sponsor some development.

it's not like adding x509 parsing changes the world.

expecially since someone may not be using x509 at all

Ah, so you talk all the time, if something should be part of "standard" 
rebol or not? Well, that is misunderstanding. I don't require something 
to be included. I am ok with extensions, libraries.

and why should RT write all the libraries?

if i needed that really quick, i would just CALL openssl

[giesse-:-batou]:/etc/ssl/certs$ openssl x509 -text -in Visa_eCommerce_Root.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, O=VISA, OU=Visa International Service Association, 
        CN=Visa eCommerce Root
        Validity
            Not Before: Jun 26 02:18:36 2002 GMT
            Not After : Jun 24 00:16:12 2022 GMT

        Subject: C=US, O=VISA, OU=Visa International Service Association, 
        CN=Visa eCommerce Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:af:57:de:56:1e:6e:a1:da:60:b1:94:27:cb:17:
                    db:07:3f:80:85:4f:c8:9c:b6:d0:f4:6f:4f:cf:99:
                    d8:e1:db:c2:48:5c:3a:ac:39:33:c7:1f:6a:8b:26:
                    3d:2b:35:f5:48:b1:91:c1:02:4e:04:96:91:7b:b0:
                    33:f0:b1:14:4e:11:6f:b5:40:af:1b:45:a5:4a:ef:
                    7e:b6:ac:f2:a0:1f:58:3f:12:46:60:3c:8d:a1:e0:
                    7d:cf:57:3e:33:1e:fb:47:f1:aa:15:97:07:55:66:
                    a5:b5:2d:2e:d8:80:59:b2:a7:0d:b7:46:ec:21:63:
                    ff:35:ab:a5:02:cf:2a:f4:4c:fe:7b:f5:94:5d:84:
                    4d:a8:f2:60:8f:db:0e:25:3c:9f:73:71:cf:94:df:
                    4a:ea:db:df:72:38:8c:f3:96:bd:f1:17:bc:d2:ba:
                    3b:45:5a:c6:a7:f6:c6:17:8b:01:9d:fc:19:a8:2a:
                    83:16:b8:3a:48:fe:4e:3e:a0:ab:06:19:e9:53:f3:
                    80:13:07:ed:2d:bf:3f:0a:3c:55:20:39:2c:2c:00:
                    69:74:95:4a:bc:20:b2:a9:79:e5:18:89:91:a8:dc:
                    1c:4d:ef:bb:7e:37:0b:5d:fe:39:a5:88:52:8c:00:
                    6c:ec:18:7c:41:bd:f6:8b:75:77:ba:60:9d:84:e7:
                    fe:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:

                15:38:83:0F:3F:2C:3F:70:33:1E:CD:46:FE:07:8C:20:E0:D7:C3:B7
    Signature Algorithm: sha1WithRSAEncryption
        5f:f1:41:7d:7c:5c:08:b9:2b:e0:d5:92:47:fa:67:5c:a5:13:
        c3:03:21:9b:2b:4c:89:46:cf:59:4d:c9:fe:a5:40:b6:63:cd:
        dd:71:28:95:67:11:cc:24:ac:d3:44:6c:71:ae:01:20:6b:03:
        a2:8f:18:b7:29:3a:7d:e5:16:60:53:78:3c:c0:af:15:83:f7:
        8f:52:33:24:bd:64:93:97:ee:8b:f7:db:18:a8:6d:71:b3:f7:
        2c:17:d0:74:25:69:f7:fe:6b:3c:94:be:4d:4b:41:8c:4e:e2:
        73:d0:e3:90:22:73:43:cd:f3:ef:ea:73:ce:45:8a:b0:a6:49:
        ff:4c:7d:9d:71:88:c4:76:1d:90:5b:1d:ee:fd:cc:f7:ee:fd:
        60:a5:b1:7a:16:71:d1:16:d0:7c:12:3c:6c:69:97:db:ae:5f:
        39:9a:70:2f:05:3c:19:46:04:99:20:36:d0:60:6e:61:06:bb:
        16:42:8c:70:f7:30:fb:e0:db:66:a3:00:01:bd:e6:2c:da:91:
        5f:a0:46:8b:4d:6a:9c:3d:3d:dd:05:46:fe:76:bf:a0:0a:3c:
        e4:00:e6:27:b7:ff:84:2d:de:ba:22:27:96:10:71:eb:22:ed:
        df:df:33:9c:cf:e3:ad:ae:8e:d4:8e:e6:4f:51:af:16:92:e0:
        5c:f6:07:0f

how much would it take to extract the key and signature from that?

having more time, i'd just study the binary file format and parse 
it myself. i don't see any show-stopper.

but again, assume this was built in, or available as library from 
rt. you would simply find something else that is not built in and 
complain about that :)

Where were you when I needed the help? :-)

any word on library access for R3.. is it free now?

otherwise CALL is the only way to go

terry, yes afaik. not discussed yet though.

petr, am i really the only one who could do that? :)

you  'da man Gab

OK, I will ask the other way? How would you trust I am me? (or how 
to write it in english), if not to trust some third party = CA? IIRC 
Carl or Josh said, that new SDK (dunno if it was ment generally, 
or only for plug-in), could generate some special license key or 
certificate for me, so that users could check? Similar aproach as 
when you install driver and you have the ability to check, if it 
comes from trusted party. That was all my point why I asked if it 
is coming.

plug in - that's ActiveX signing. it's a MS thing mainly.

rebol side - just use rsa signature as shown in rebol.com docs. ie 
just add signature to your rebol script

then i only need to know your public key.

since i need to be sure that the public key i have i yours, and not 
someone else, we need a trusted party - that's called a CA

ie someone that certifies that you are actually Petr and not an impostor

Gabriele - probably so, because IIRC guys pointed me to be able to 
parse ... uhm, don't remember what it was ...

that can be done 100% in rebol. if you need to interoperate with 
other systems, then you need to parse their formats, eg x509.

but... it's just parsing. it would be nice to have built in... but 
i don't see it as show stopper.

I know - but do you think ppl will trust some home made CA? I thought 
that I will come to one of three CAs here, and will ask for commercial 
certificate (dunno who does so internationally - Thawte? Verison?)

Verisign etc. But it depends on the app.

in general, yes, you have to support the big guys like Verisign... 
but that really depends on the app itself.

eg. if we're talking about the employees in your company, your company 
could be your CA, since you already trust your own company to some 
degree

There is no other level, as how to build "trust" amongst ppl in open 
environment.

i can only say, that i haven't encountered the need to parse x509 
so far.