World: r3wp
[!REBOL3-OLD1]
older newer | first last |
Gabriele 5-Jun-2007 [3366x3] | how much would it take to extract the key and signature from that? |
having more time, i'd just study the binary file format and parse it myself. i don't see any show-stopper. | |
but again, assume this was built in, or available as library from rt. you would simply find something else that is not built in and complain about that :) | |
Pekr 5-Jun-2007 [3369] | Where were you when I needed the help? :-) |
Terry 5-Jun-2007 [3370x2] | any word on library access for R3.. is it free now? |
otherwise CALL is the only way to go | |
Gabriele 5-Jun-2007 [3372x2] | terry, yes afaik. not discussed yet though. |
petr, am i really the only one who could do that? :) | |
Terry 5-Jun-2007 [3374] | you 'da man Gab |
Pekr 5-Jun-2007 [3375] | OK, I will ask the other way? How would you trust I am me? (or how to write it in english), if not to trust some third party = CA? IIRC Carl or Josh said, that new SDK (dunno if it was ment generally, or only for plug-in), could generate some special license key or certificate for me, so that users could check? Similar aproach as when you install driver and you have the ability to check, if it comes from trusted party. That was all my point why I asked if it is coming. |
Gabriele 5-Jun-2007 [3376x5] | plug in - that's ActiveX signing. it's a MS thing mainly. |
rebol side - just use rsa signature as shown in rebol.com docs. ie just add signature to your rebol script | |
then i only need to know your public key. | |
since i need to be sure that the public key i have i yours, and not someone else, we need a trusted party - that's called a CA | |
ie someone that certifies that you are actually Petr and not an impostor | |
Pekr 5-Jun-2007 [3381] | Gabriele - probably so, because IIRC guys pointed me to be able to parse ... uhm, don't remember what it was ... |
Gabriele 5-Jun-2007 [3382x2] | that can be done 100% in rebol. if you need to interoperate with other systems, then you need to parse their formats, eg x509. |
but... it's just parsing. it would be nice to have built in... but i don't see it as show stopper. | |
Pekr 5-Jun-2007 [3384] | I know - but do you think ppl will trust some home made CA? I thought that I will come to one of three CAs here, and will ask for commercial certificate (dunno who does so internationally - Thawte? Verison?) |
Gabriele 5-Jun-2007 [3385x3] | Verisign etc. But it depends on the app. |
in general, yes, you have to support the big guys like Verisign... but that really depends on the app itself. | |
eg. if we're talking about the employees in your company, your company could be your CA, since you already trust your own company to some degree | |
Pekr 5-Jun-2007 [3388] | There is no other level, as how to build "trust" amongst ppl in open environment. |
Gabriele 5-Jun-2007 [3389x3] | i can only say, that i haven't encountered the need to parse x509 so far. |
otherwise... i would have solved the problem in some way... it's just parsing. worst case you call out to some known good parser like openssl | |
and if you don't even want to trust rebol's internal rsa code... you can call openssl for everything. that code is trusted by all | |
Pekr 5-Jun-2007 [3392] | Yes, I know. But imagine me being an evil man. I will register with RT. They have their own CA, register me, give me certificate. I will do evil script. PPL will trust me, run the script, and damage will come. They turn to RT, and RT tells them - that developer is Petr Krenzelok. And I say - what? I never registered. So, the only way of RT to know I am who I am is, that I will visit some CA, provide some evidence (ID card, driving license, passport), and register, no? |
Gabriele 5-Jun-2007 [3393] | that's correct, RT should never certify you are you without having proof. |
Pekr 5-Jun-2007 [3394] | What I am talking all the time about is - how to build trust in distributed environment. Some of us will need to produce scripts with lowered security. If I see a requestor asking me for lowering security, I will not run the app, unless I can be sure, that it comes from Gabriele for e.g., and that if Gabriele ruins my HD data, I can visit DevCon next year and ask for refundation :-)) |
Gabriele 5-Jun-2007 [3395x4] | a digital certificate is just like a paper certificate - the value depends on the issuers, and the parties involved. |
someone may trust a document signed by me, someone else will need an official document from some state authority. | |
trust is generally based on chains | |
i trust you because someone else i already trust trustes you. | |
Pekr 5-Jun-2007 [3399] | in order to be able to verify certificate, you need to verify it against the root certificate of CA. So if RT becomes CA for its developers, it would be better for them to be able to verify, who asks for certificate. E.g. visit devcon in private, for Carl to be sure who you are :-) |
Gabriele 5-Jun-2007 [3400] | basically, since you are running rebol.exe, you are trusting rt already. |
Pekr 5-Jun-2007 [3401] | yes, rebol.exe could do damage in the extent of my OS user priviledges. |
Gabriele 5-Jun-2007 [3402] | so, if rt can identify me (eg in person at devcon like you say) and tell you via certificate that a script is really from me (identification + authentication), you can then trust the script if you trust me |
Pekr 5-Jun-2007 [3403x2] | hmm, host executable is open sourced, right? Who will be officila provider of such exe? |
yes | |
Gabriele 5-Jun-2007 [3405x2] | who's the official provider of linux? :) |
rt will provide an official one | |
Pekr 5-Jun-2007 [3407x3] | but easier for RT to verify you is to accept some certificate, than to travel to devcon :-) |
ah, linux ... so true .... you have to take some risk .... | |
Simply if I find some R3 distro with modified host environment, so better I am sure where it comes from, right? | |
Gabriele 5-Jun-2007 [3410x4] | what i mean is, the tech side of things is in rebol. the non-tech side is a different matter altogether. |
right :) | |
same thing if you find any exe anywhere. | |
if someone sends you rebhost.exe via email... well... i would not run that ;) | |
Pekr 5-Jun-2007 [3414] | that is why I think we should think about signatures (which is just a hash) and certificates in a bigger picture - mainly when we think about SDK apps or browser plug-in apps with lowered security level ... the truth is, it does not need to come with initial release, but should not be forgotten about. |
Gabriele 6-Jun-2007 [3415] | looks like R3 with 1000 animated gobs on 1000x700 window is at least 2x faster than R2 with 1000 animated faces on 1000x700 window. (someone has reported 5x) |
older newer | first last |