jsdsi-users Mailing List for JSDSI (Page 2)
Status: Pre-Alpha
Brought to you by:
sajma
Menu
▾
▴
jsdsi-users — JSDSI Users
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
(5) |
Mar
(10) |
Apr
(20) |
May
(26) |
Jun
(7) |
Jul
(10) |
Aug
(25) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(4) |
Jul
|
Aug
|
Sep
|
Oct
(6) |
Nov
(6) |
Dec
|
| 2006 |
Jan
(20) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: Somaya A. <som...@ya...> - 2005-11-03 18:56:32
|
Thanks. But what does jsdsi.Provider.install() actually do ?
Sameer Ajmani <aj...@gm...> wrote:
On 11/2/05, Somaya Aboulwafa wrote:
> Hi Sameer,
>
> This is weird, as most of the test cases classes use
> this way to create KeyPairs.
Ahhh -- I bet the problem is that you have not installed the Jsdsi
Provider. Try calling jsdsi.Provider.install() in your main.
>
> What is the difference between those 2 keyPair Objects
> signer1 and signer2:
> KeyPair signer1=jsdsi.RSAPublicKey.create();
> KeyPair signer2 = KeyPairFactory.create(KeyEnum.RSA);
>
> I have two other questions:
> 1- Is there any other ways to create KeyPair Objects??
> 2- How could I test whether two keys are identical or
> not? Shall I use the equal method or it is not
> overridden to test on the value rather than the
> reference? .. Same question for signatures?
I'm really not sure -- I did not write these classes and am not
familiar with them. Sean could answer these, but till then, reading
the code is the best plan :)
That said, Signature does indeed override equals() to compare-by-value.
Note sure about KeyPair; perhaps just read the code for equals().
S
>
> Thanks,
> Somaya
>
>
> --- Sameer Ajmani wrote:
>
> > Sean, can you answer this? Looks like you wrote
> > this code.
> >
> > This like is somewhat suspect:
> > 153 kpg =
> > KeyPairGenerator.getInstance("SPKI/" +
> > keyEnum.jdkName())
> >
> > There's no KeyPairGenerator registered as
> > "SPKI/RSA". If you remove
> > the "SPKI/", this should work (I think the Java RSA
> > library is simply
> > "RSA"), but this is just a hack for now. Hopefully
> > Sean has an idea
> > of how this was supposed to work :)
> >
> > S
> >
> > On 11/1/05, Somaya Aboulwafa
> > wrote:
> > > Hi,
> > > I am trying to create a new keypair as follows:
> > >
> > > KeyPair signer =
> > KeyPairFactory.create(KeyEnum.RSA);
> > >
> > > but I got the following Runtime Exception:
> > >
> > > jsdsi.JsdsiRuntimeException:
> > > java.security.NoSuchAlgorithmException: SPKI/RSA
> > > KeyPairGenerator not available
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.createKeyPairGenerator(KeyPairFactory.java:155)
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.getKeyPairGenerator(KeyPairFactory.java:120)
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:102)
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:59)
> > >
> > > So any idea about why is this happening and how to
> > > overcome this?
> > >
> > > Thanks,
> > > Somaya
> > >
> > >
> > >
> > > __________________________________
> > > Start your day with Yahoo! - Make it your home
> > page!
> > > http://www.yahoo.com/r/hs
> > >
> > >
> > >
> >
> -------------------------------------------------------
> > > This SF.Net email is sponsored by the JBoss Inc.
> > > Get Certified Today * Register for a JBoss
> > Training Course
> > > Free Certification Exam for All Training Attendees
> > Through End of 2005
> > > Visit http://www.jboss.com/services/certification
> > for more information
> > > _______________________________________________
> > > Jsdsi-users mailing list
> > > Jsd...@li...
> > >
> >
> https://lists.sourceforge.net/lists/listinfo/jsdsi-users
> > >
> > >
> >
> >
> > --
> > Sameer
> > http://ajmani.net
> >
>
>
>
>
> __________________________________
> Yahoo! FareChase: Search multiple travel sites in one click.
> http://farechase.yahoo.com
>
--
Sameer
http://ajmani.net
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Jsdsi-users mailing list
Jsd...@li...
https://lists.sourceforge.net/lists/listinfo/jsdsi-users
"æóáóäóÈúáõæóäøóßõãú ÈöÔóíúÁò ãøöäó ÇáúÎóæÝú æóÇáúÌõæÚö æóäóÞúÕò ãøöäó ÇáÃóãóæóÇáö æóÇáÃäÝõÓö æóÇáËøóãóÑóÇÊö æóÈóÔøöÑö ÇáÕøóÇÈöÑöíä ÇáøóÐöíäó ÅöÐóÇ ÃóÕóÇÈóÊúåõã ãøõÕöíÈóÉñ ÞóÇáõæÇú ÅöäøóÇ áöáøåö æóÅöäøóÜÇ Åöáóíúåö ÑóÇÌöÚæäó ÃõæáóÜÆößó Úóáóíúåöãú ÕóáóæóÇÊñ ãøöä ÑøóÈøöåöãú æóÑóÍúãóÉñ æóÃõæáóÜÆößó åõãõ ÇáúãõåúÊóÏõæä" ÇáÈÞÑÉ 155- 157
---------------------------------
Yahoo! FareChase - Search multiple travel sites in one click. |
|
From: Sameer A. <aj...@gm...> - 2005-11-02 14:30:53
|
On 11/2/05, Somaya Aboulwafa <som...@ya...> wrote:
> Hi Sameer,
>
> This is weird, as most of the test cases classes use
> this way to create KeyPairs.
Ahhh -- I bet the problem is that you have not installed the Jsdsi
Provider. Try calling jsdsi.Provider.install() in your main.
>
> What is the difference between those 2 keyPair Objects
> signer1 and signer2:
> KeyPair signer1=3Djsdsi.RSAPublicKey.create();
> KeyPair signer2 =3D KeyPairFactory.create(KeyEnum.RSA);
>
> I have two other questions:
> 1- Is there any other ways to create KeyPair Objects??
> 2- How could I test whether two keys are identical or
> not? Shall I use the equal method or it is not
> overridden to test on the value rather than the
> reference? .. Same question for signatures?
I'm really not sure -- I did not write these classes and am not
familiar with them. Sean could answer these, but till then, reading
the code is the best plan :)
That said, Signature does indeed override equals() to compare-by-value.
Note sure about KeyPair; perhaps just read the code for equals().
S
>
> Thanks,
> Somaya
>
>
> --- Sameer Ajmani <aj...@gm...> wrote:
>
> > Sean, can you answer this? Looks like you wrote
> > this code.
> >
> > This like is somewhat suspect:
> > 153 kpg =3D
> > KeyPairGenerator.getInstance("SPKI/" +
> > keyEnum.jdkName())
> >
> > There's no KeyPairGenerator registered as
> > "SPKI/RSA". If you remove
> > the "SPKI/", this should work (I think the Java RSA
> > library is simply
> > "RSA"), but this is just a hack for now. Hopefully
> > Sean has an idea
> > of how this was supposed to work :)
> >
> > S
> >
> > On 11/1/05, Somaya Aboulwafa
> > <som...@ya...> wrote:
> > > Hi,
> > > I am trying to create a new keypair as follows:
> > >
> > > KeyPair signer =3D
> > KeyPairFactory.create(KeyEnum.RSA);
> > >
> > > but I got the following Runtime Exception:
> > >
> > > jsdsi.JsdsiRuntimeException:
> > > java.security.NoSuchAlgorithmException: SPKI/RSA
> > > KeyPairGenerator not available
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.createKeyPairGenerator(KeyPairFactory.java:155)
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.getKeyPairGenerator(KeyPairFactory.java:120)
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:102)
> > > at
> > >
> >
> jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:59)
> > >
> > > So any idea about why is this happening and how to
> > > overcome this?
> > >
> > > Thanks,
> > > Somaya
> > >
> > >
> > >
> > > __________________________________
> > > Start your day with Yahoo! - Make it your home
> > page!
> > > http://www.yahoo.com/r/hs
> > >
> > >
> > >
> >
> -------------------------------------------------------
> > > This SF.Net email is sponsored by the JBoss Inc.
> > > Get Certified Today * Register for a JBoss
> > Training Course
> > > Free Certification Exam for All Training Attendees
> > Through End of 2005
> > > Visit http://www.jboss.com/services/certification
> > for more information
> > > _______________________________________________
> > > Jsdsi-users mailing list
> > > Jsd...@li...
> > >
> >
> https://lists.sourceforge.net/lists/listinfo/jsdsi-users
> > >
> > >
> >
> >
> > --
> > Sameer
> > http://ajmani.net
> >
>
>
>
>
> __________________________________
> Yahoo! FareChase: Search multiple travel sites in one click.
> http://farechase.yahoo.com
>
--
Sameer
http://ajmani.net
|
|
From: Somaya A. <som...@ya...> - 2005-11-02 10:02:02
|
Hi Sameer,
This is weird, as most of the test cases classes use
this way to create KeyPairs.
What is the difference between those 2 keyPair Objects
signer1 and signer2:
KeyPair signer1=jsdsi.RSAPublicKey.create();
KeyPair signer2 = KeyPairFactory.create(KeyEnum.RSA);
I have two other questions:
1- Is there any other ways to create KeyPair Objects??
2- How could I test whether two keys are identical or
not? Shall I use the equal method or it is not
overridden to test on the value rather than the
reference? .. Same question for signatures?
Thanks,
Somaya
--- Sameer Ajmani <aj...@gm...> wrote:
> Sean, can you answer this? Looks like you wrote
> this code.
>
> This like is somewhat suspect:
> 153 kpg =
> KeyPairGenerator.getInstance("SPKI/" +
> keyEnum.jdkName())
>
> There's no KeyPairGenerator registered as
> "SPKI/RSA". If you remove
> the "SPKI/", this should work (I think the Java RSA
> library is simply
> "RSA"), but this is just a hack for now. Hopefully
> Sean has an idea
> of how this was supposed to work :)
>
> S
>
> On 11/1/05, Somaya Aboulwafa
> <som...@ya...> wrote:
> > Hi,
> > I am trying to create a new keypair as follows:
> >
> > KeyPair signer =
> KeyPairFactory.create(KeyEnum.RSA);
> >
> > but I got the following Runtime Exception:
> >
> > jsdsi.JsdsiRuntimeException:
> > java.security.NoSuchAlgorithmException: SPKI/RSA
> > KeyPairGenerator not available
> > at
> >
>
jsdsi.util.KeyPairFactory.createKeyPairGenerator(KeyPairFactory.java:155)
> > at
> >
>
jsdsi.util.KeyPairFactory.getKeyPairGenerator(KeyPairFactory.java:120)
> > at
> >
>
jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:102)
> > at
> >
>
jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:59)
> >
> > So any idea about why is this happening and how to
> > overcome this?
> >
> > Thanks,
> > Somaya
> >
> >
> >
> > __________________________________
> > Start your day with Yahoo! - Make it your home
> page!
> > http://www.yahoo.com/r/hs
> >
> >
> >
>
-------------------------------------------------------
> > This SF.Net email is sponsored by the JBoss Inc.
> > Get Certified Today * Register for a JBoss
> Training Course
> > Free Certification Exam for All Training Attendees
> Through End of 2005
> > Visit http://www.jboss.com/services/certification
> for more information
> > _______________________________________________
> > Jsdsi-users mailing list
> > Jsd...@li...
> >
>
https://lists.sourceforge.net/lists/listinfo/jsdsi-users
> >
> >
>
>
> --
> Sameer
> http://ajmani.net
>
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
|
|
From: Sameer A. <aj...@gm...> - 2005-11-01 15:12:39
|
Sean, can you answer this? Looks like you wrote this code.
This like is somewhat suspect:
153 kpg =3D KeyPairGenerator.getInstance("SPKI/" + keyEnum.jdkN=
ame())
There's no KeyPairGenerator registered as "SPKI/RSA". If you remove
the "SPKI/", this should work (I think the Java RSA library is simply
"RSA"), but this is just a hack for now. Hopefully Sean has an idea
of how this was supposed to work :)
S
On 11/1/05, Somaya Aboulwafa <som...@ya...> wrote:
> Hi,
> I am trying to create a new keypair as follows:
>
> KeyPair signer =3D KeyPairFactory.create(KeyEnum.RSA);
>
> but I got the following Runtime Exception:
>
> jsdsi.JsdsiRuntimeException:
> java.security.NoSuchAlgorithmException: SPKI/RSA
> KeyPairGenerator not available
> at
> jsdsi.util.KeyPairFactory.createKeyPairGenerator(KeyPairFactory.java:155)
> at
> jsdsi.util.KeyPairFactory.getKeyPairGenerator(KeyPairFactory.java:120)
> at
> jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:102)
> at
> jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:59)
>
> So any idea about why is this happening and how to
> overcome this?
>
> Thanks,
> Somaya
>
>
>
> __________________________________
> Start your day with Yahoo! - Make it your home page!
> http://www.yahoo.com/r/hs
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Jsdsi-users mailing list
> Jsd...@li...
> https://lists.sourceforge.net/lists/listinfo/jsdsi-users
>
>
--
Sameer
http://ajmani.net
|
|
From: Somaya A. <som...@ya...> - 2005-11-01 13:20:35
|
Hi,
I am trying to create a new keypair as follows:
KeyPair signer = KeyPairFactory.create(KeyEnum.RSA);
but I got the following Runtime Exception:
jsdsi.JsdsiRuntimeException:
java.security.NoSuchAlgorithmException: SPKI/RSA
KeyPairGenerator not available
at
jsdsi.util.KeyPairFactory.createKeyPairGenerator(KeyPairFactory.java:155)
at
jsdsi.util.KeyPairFactory.getKeyPairGenerator(KeyPairFactory.java:120)
at
jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:102)
at
jsdsi.util.KeyPairFactory.create(KeyPairFactory.java:59)
So any idea about why is this happening and how to
overcome this?
Thanks,
Somaya
__________________________________
Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs
|
|
From: Sameer A. <aj...@gm...> - 2005-10-31 15:50:21
|
The easiest way will be for you to download the source and generate it yourself -- I don't have any simpler way to do it myself. S On 10/31/05, Somaya Aboulwafa <som...@ya...> wrote: > Hi Sameer, > > I just want to know how could I have an offline > version of the latest JSDSI Javadoc that is found @ > http://jsdsi.sourceforge.net/apidocs/index.html. > I have dowloaded stuff from the CVS, however the > downloaded javadoc from the cvs is not up-to-date. > > Many Thanks, > Somaya > > > > > > > __________________________________ > Yahoo! Mail - PC Magazine Editors' Choice 2005 > http://mail.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. > Get Certified Today * Register for a JBoss Training Course > Free Certification Exam for All Training Attendees Through End of 2005 > Visit http://www.jboss.com/services/certification for more information > _______________________________________________ > Jsdsi-users mailing list > Jsd...@li... > https://lists.sourceforge.net/lists/listinfo/jsdsi-users > > -- Sameer http://ajmani.net |
|
From: Somaya A. <som...@ya...> - 2005-10-31 14:08:10
|
Hi Sameer, I just want to know how could I have an offline version of the latest JSDSI Javadoc that is found @ http://jsdsi.sourceforge.net/apidocs/index.html. I have dowloaded stuff from the CVS, however the downloaded javadoc from the cvs is not up-to-date. Many Thanks, Somaya __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com |
|
From: Sameer A. <aj...@gm...> - 2005-10-28 23:18:31
|
http://world.std.com/~cme/html/spki.html has a bunch of links. The RFCs are probably the best resource, though. S On 10/27/05, Somaya Aboulwafa <som...@ya...> wrote: > > Many thanks for your descriptive reply. > I've downloaded JSDSI and tried to use it. But > actually I felt that I miss some SPKI related basics > and I need to further enhance my knowledge. So do u > have any good resources about it to recommend other > than the RFC2693 and RFC2692. > Thanks again. > Somaya > > --- Sameer Ajmani <aj...@gm...> wrote: > > > SPKI should provide what you need. SPKI name > > certificates provide a > > very flexibly way to bind names to sets of keys and > > allows principals > > to delegate names, e.g.: > > K_MIT faculty -> K_MIT eecs_dept faculty > > This says MIT's name "faculty" includes the keys in > > MIT's EECS > > department's faculty. This name is resolved by > > resolving "K_MIT > > eecs_dept" to the EECS department key(s), then using > > that key to > > resolve faculty. And note that MIT can have another > > cert that adds > > more keys to its faculty set, e.g.: > > K_MIT faculty -> K_MIT physics_dept faculty > > > > For membership in a particular organization, you > > might represent this > > via names or via authorization certs; it depends on > > what you're trying > > to achieve. For example, name certs let you > > represent an organization > > as a set of public keys, e.g.: > > K_org_manager organization_members -> K_sameer > > This cert says the organization manager defines the > > groups > > "organization members" to include my public key. > > K_org_manager organization_members -> > > K_org_manager organization_members > > organization_members > > This cert says that organization members can further > > add more members > > via their own "organization_members" groups. > > > > But you can achieve some more flexibility with auth > > certificates. In > > particular, it's easies to express delegation of > > authority, and you > > can express more than just membership: > > K_org_manager (tag (* set member)) -> K_sameer > > K_org_manager (tag (* set member manager)) -> > > K_somaya > > > > These two certs delegate the "member" authorization > > to you and me, and > > also delegate the "manager" authorization to you. > > The *application* > > (i.e., access controller) for the group must > > interpret these > > authorization tags -- SPKI/SDSI doesn't interpret > > tags, it just knows > > how to combine them. > > > > Finally, note that the object of a certificate (the > > right-hand-side) > > need not be a key; it can be an "ObjectHash", i.e., > > an identifier for > > an arbitrary object. In particular, this ObjectHash > > could refer to a > > capability object that you define. But I think an > > auth certificate is > > a more direct way of representing a capability in > > SPKI/SDSI. > > > > S > > > > On 10/25/05, Somaya Aboulwafa > > <som...@ya...> wrote: > > > Hi all, > > > I am working on a project that is supposed to > > build > > > trust management system. And I want to decide the > > type > > > of certificate to work with. However I'm a little > > bit > > > confused as i don't have a strong background in > > PKI, I > > > don't whether to use X.509v3 or SPKI certificates. > > So > > > I would be really grateful if you answered my > > > inquiries. > > > > > > First, in my system I need identity certificates, > > > authorization certificates, and capability > > > certificates. For Identity certificates, I need it > > not > > > just to bind public keys to names, however I need > > it > > > to bind the public key to more specific > > information > > > (e.g. membership in a certain organization, age, > > > student in a certain school, etc). For the > > capability > > > certificate, I need it to bind the public key to a > > > certain capability (e.g. providing a certain > > service) > > > .. so which of them do u think is more appropriate > > in > > > my case? > > > > > > Second, and incase of SPKI is more appropriate, do > > you > > > think JSDSI would would be useful for me? I want a > > > tool that let me create/generate spki > > certificates, > > > delegate certificates, verify certificates and > > > certification paths. > > > > > > Any further advice in this track is much > > appreciated. > > > Thanks in advance > > > Somaya > > > > > > > > > > > > __________________________________ > > > Yahoo! FareChase: Search multiple travel sites in > > one click. > > > http://farechase.yahoo.com > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email is sponsored by the JBoss Inc. > > > Get Certified Today * Register for a JBoss > > Training Course > > > Free Certification Exam for All Training Attendees > > Through End of 2005 > > > Visit http://www.jboss.com/services/certification > > for more information > > > _______________________________________________ > > > Jsdsi-users mailing list > > > Jsd...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/jsdsi-users > > > > > > > > > > > > -- > > Sameer > > http://ajmani.net > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by the JBoss Inc. > > Get Certified Today * Register for a JBoss Training > > Course > > Free Certification Exam for All Training Attendees > > Through End of 2005 > > Visit http://www.jboss.com/services/certification > > for more information > > _______________________________________________ > > Jsdsi-users mailing list > > Jsd...@li... > > > https://lists.sourceforge.net/lists/listinfo/jsdsi-users > > > > > > > __________________________________ > Yahoo! FareChase: Search multiple travel sites in one click. > http://farechase.yahoo.com > -- Sameer http://ajmani.net |
|
From: Somaya A. <som...@ya...> - 2005-10-27 13:47:01
|
Many thanks for your descriptive reply. I've downloaded JSDSI and tried to use it. But actually I felt that I miss some SPKI related basics and I need to further enhance my knowledge. So do u have any good resources about it to recommend other than the RFC2693 and RFC2692. Thanks again. Somaya --- Sameer Ajmani <aj...@gm...> wrote: > SPKI should provide what you need. SPKI name > certificates provide a > very flexibly way to bind names to sets of keys and > allows principals > to delegate names, e.g.: > K_MIT faculty -> K_MIT eecs_dept faculty > This says MIT's name "faculty" includes the keys in > MIT's EECS > department's faculty. This name is resolved by > resolving "K_MIT > eecs_dept" to the EECS department key(s), then using > that key to > resolve faculty. And note that MIT can have another > cert that adds > more keys to its faculty set, e.g.: > K_MIT faculty -> K_MIT physics_dept faculty > > For membership in a particular organization, you > might represent this > via names or via authorization certs; it depends on > what you're trying > to achieve. For example, name certs let you > represent an organization > as a set of public keys, e.g.: > K_org_manager organization_members -> K_sameer > This cert says the organization manager defines the > groups > "organization members" to include my public key. > K_org_manager organization_members -> > K_org_manager organization_members > organization_members > This cert says that organization members can further > add more members > via their own "organization_members" groups. > > But you can achieve some more flexibility with auth > certificates. In > particular, it's easies to express delegation of > authority, and you > can express more than just membership: > K_org_manager (tag (* set member)) -> K_sameer > K_org_manager (tag (* set member manager)) -> > K_somaya > > These two certs delegate the "member" authorization > to you and me, and > also delegate the "manager" authorization to you. > The *application* > (i.e., access controller) for the group must > interpret these > authorization tags -- SPKI/SDSI doesn't interpret > tags, it just knows > how to combine them. > > Finally, note that the object of a certificate (the > right-hand-side) > need not be a key; it can be an "ObjectHash", i.e., > an identifier for > an arbitrary object. In particular, this ObjectHash > could refer to a > capability object that you define. But I think an > auth certificate is > a more direct way of representing a capability in > SPKI/SDSI. > > S > > On 10/25/05, Somaya Aboulwafa > <som...@ya...> wrote: > > Hi all, > > I am working on a project that is supposed to > build > > trust management system. And I want to decide the > type > > of certificate to work with. However I'm a little > bit > > confused as i don't have a strong background in > PKI, I > > don't whether to use X.509v3 or SPKI certificates. > So > > I would be really grateful if you answered my > > inquiries. > > > > First, in my system I need identity certificates, > > authorization certificates, and capability > > certificates. For Identity certificates, I need it > not > > just to bind public keys to names, however I need > it > > to bind the public key to more specific > information > > (e.g. membership in a certain organization, age, > > student in a certain school, etc). For the > capability > > certificate, I need it to bind the public key to a > > certain capability (e.g. providing a certain > service) > > .. so which of them do u think is more appropriate > in > > my case? > > > > Second, and incase of SPKI is more appropriate, do > you > > think JSDSI would would be useful for me? I want a > > tool that let me create/generate spki > certificates, > > delegate certificates, verify certificates and > > certification paths. > > > > Any further advice in this track is much > appreciated. > > Thanks in advance > > Somaya > > > > > > > > __________________________________ > > Yahoo! FareChase: Search multiple travel sites in > one click. > > http://farechase.yahoo.com > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by the JBoss Inc. > > Get Certified Today * Register for a JBoss > Training Course > > Free Certification Exam for All Training Attendees > Through End of 2005 > > Visit http://www.jboss.com/services/certification > for more information > > _______________________________________________ > > Jsdsi-users mailing list > > Jsd...@li... > > > https://lists.sourceforge.net/lists/listinfo/jsdsi-users > > > > > > > -- > Sameer > http://ajmani.net > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. > Get Certified Today * Register for a JBoss Training > Course > Free Certification Exam for All Training Attendees > Through End of 2005 > Visit http://www.jboss.com/services/certification > for more information > _______________________________________________ > Jsdsi-users mailing list > Jsd...@li... > https://lists.sourceforge.net/lists/listinfo/jsdsi-users > __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com |
|
From: Sameer A. <aj...@gm...> - 2005-10-25 13:30:26
|
SPKI should provide what you need. SPKI name certificates provide a very flexibly way to bind names to sets of keys and allows principals to delegate names, e.g.: K_MIT faculty -> K_MIT eecs_dept faculty This says MIT's name "faculty" includes the keys in MIT's EECS department's faculty. This name is resolved by resolving "K_MIT eecs_dept" to the EECS department key(s), then using that key to resolve faculty. And note that MIT can have another cert that adds more keys to its faculty set, e.g.: K_MIT faculty -> K_MIT physics_dept faculty For membership in a particular organization, you might represent this via names or via authorization certs; it depends on what you're trying to achieve. For example, name certs let you represent an organization as a set of public keys, e.g.: K_org_manager organization_members -> K_sameer This cert says the organization manager defines the groups "organization members" to include my public key. K_org_manager organization_members -> K_org_manager organization_members organization_members This cert says that organization members can further add more members via their own "organization_members" groups. But you can achieve some more flexibility with auth certificates. In particular, it's easies to express delegation of authority, and you can express more than just membership: K_org_manager (tag (* set member)) -> K_sameer K_org_manager (tag (* set member manager)) -> K_somaya These two certs delegate the "member" authorization to you and me, and also delegate the "manager" authorization to you. The *application* (i.e., access controller) for the group must interpret these authorization tags -- SPKI/SDSI doesn't interpret tags, it just knows how to combine them. Finally, note that the object of a certificate (the right-hand-side) need not be a key; it can be an "ObjectHash", i.e., an identifier for an arbitrary object. In particular, this ObjectHash could refer to a capability object that you define. But I think an auth certificate is a more direct way of representing a capability in SPKI/SDSI. S On 10/25/05, Somaya Aboulwafa <som...@ya...> wrote: > Hi all, > I am working on a project that is supposed to build > trust management system. And I want to decide the type > of certificate to work with. However I'm a little bit > confused as i don't have a strong background in PKI, I > don't whether to use X.509v3 or SPKI certificates. So > I would be really grateful if you answered my > inquiries. > > First, in my system I need identity certificates, > authorization certificates, and capability > certificates. For Identity certificates, I need it not > just to bind public keys to names, however I need it > to bind the public key to more specific information > (e.g. membership in a certain organization, age, > student in a certain school, etc). For the capability > certificate, I need it to bind the public key to a > certain capability (e.g. providing a certain service) > .. so which of them do u think is more appropriate in > my case? > > Second, and incase of SPKI is more appropriate, do you > think JSDSI would would be useful for me? I want a > tool that let me create/generate spki certificates, > delegate certificates, verify certificates and > certification paths. > > Any further advice in this track is much appreciated. > Thanks in advance > Somaya > > > > __________________________________ > Yahoo! FareChase: Search multiple travel sites in one click. > http://farechase.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by the JBoss Inc. > Get Certified Today * Register for a JBoss Training Course > Free Certification Exam for All Training Attendees Through End of 2005 > Visit http://www.jboss.com/services/certification for more information > _______________________________________________ > Jsdsi-users mailing list > Jsd...@li... > https://lists.sourceforge.net/lists/listinfo/jsdsi-users > > -- Sameer http://ajmani.net |
|
From: Somaya A. <som...@ya...> - 2005-10-25 10:08:11
|
Hi all, I am working on a project that is supposed to build trust management system. And I want to decide the type of certificate to work with. However Im a little bit confused as i don't have a strong background in PKI, I dont whether to use X.509v3 or SPKI certificates. So I would be really grateful if you answered my inquiries. First, in my system I need identity certificates, authorization certificates, and capability certificates. For Identity certificates, I need it not just to bind public keys to names, however I need it to bind the public key to more specific information (e.g. membership in a certain organization, age, student in a certain school, etc). For the capability certificate, I need it to bind the public key to a certain capability (e.g. providing a certain service) .. so which of them do u think is more appropriate in my case? Second, and incase of SPKI is more appropriate, do you think JSDSI would would be useful for me? I want a tool that let me create/generate spki certificates, delegate certificates, verify certificates and certification paths. Any further advice in this track is much appreciated. Thanks in advance Somaya __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com |
|
From: <ale...@f-...> - 2005-06-09 19:07:37
|
Sameer, >You are correct -- this is a bug. The error is in jsdsi.PublicKey: >... > >This ought to be: >return RSAPublicKey.parseRSAPublicKey(key, type, uris); >... >If this fails in the crypto package, let us know. Thanks for the prompt responding. We'll try what you suggest tomorrow, I'll let you know the result. Regards, Alexey |
|
From: Sameer A. <aj...@gm...> - 2005-06-09 16:00:14
|
You are correct -- this is a bug. The error is in jsdsi.PublicKey:
200 =09=09if (type.startsWith("rsa")) {
201 =09=09=09return RSAPublicKey.parseRSAPublicKey(key, "RSA", uris);
This ought to be:
return RSAPublicKey.parseRSAPublicKey(key, type, uris);
But I believe we changed it at some point because this type did not
match the algorithm names expected by the underlying crypto package.=20
But as you point out, this is clearly the wrong thing to do. For now,
you might try changing this line to see if that fixes your problem.=20
If this fails in the crypto package, let us know.
Also, I noticed that there's some significant code duplication:
RSAPublicKey parseRSAPublicKey is copied twice with just a small
change in signature (URL vs. URI). The right way to imeplement this
is for the URL version to conver the URLs to URIs (using
Util.convert()) and call the URI version.
Sean -- I believe you implemented this -- can you fix it?
Thanks,
Sameer
On 6/9/05, ale...@f-...
<ale...@f-...> wrote:
> Hello,
>=20
> At 09:38 6.6.2005 -0400, Sameer Ajmani wrote:
> >Yes, JSDSI should be hashing the canonical representation of the
> >public key. This is implemented using new Hash(principal), where
> >principal might be a PublicKey or PublicKeyHash.
>=20
>=20
> I may be in error, but apparently JSDSI computes hashes and signatures
> not on object representations in certificates but on its own internal
> representations, at least in some cases.
> In our case, types of public keys were originally specified as "rsa-pkcs-=
sha1",
> and JSDSI converted that to simply "rsa" (which is all right when done
> internally)
> and then computed hashes and signatures with the short form of the type.
> Sure, the result didn't match hashes and signatures in the certificates.
>=20
> I believe this is not a correct behavior, because some things in SPKI are=
not
> specified rigorously. Since different implementations may represent certa=
in
> types and objects in different, but valid, ways, all verification computa=
tions
> should be applied to data found in certificates, in their original form.
>=20
> I'd be happy to know that the above problem is due to my misunderstanding=
.
> Otherwise, it's gonna be real hard to achieve JSDSI compatibility with ot=
her
> implementations even in the simplest cases. I'd appreciate your comment.
>=20
> Thanks.
>=20
> Best regards,
>=20
> Alexey
>=20
>=20
>=20
--=20
Sameer
http://ajmani.net
|
|
From: <ale...@f-...> - 2005-06-09 13:46:50
|
Hello, At 09:38 6.6.2005 -0400, Sameer Ajmani wrote: >Yes, JSDSI should be hashing the canonical representation of the >public key. This is implemented using new Hash(principal), where >principal might be a PublicKey or PublicKeyHash. I may be in error, but apparently JSDSI computes hashes and signatures not on object representations in certificates but on its own internal representations, at least in some cases. In our case, types of public keys were originally specified as "rsa-pkcs-sha1", and JSDSI converted that to simply "rsa" (which is all right when done internally) and then computed hashes and signatures with the short form of the type. Sure, the result didn't match hashes and signatures in the certificates. I believe this is not a correct behavior, because some things in SPKI are not specified rigorously. Since different implementations may represent certain types and objects in different, but valid, ways, all verification computations should be applied to data found in certificates, in their original form. I'd be happy to know that the above problem is due to my misunderstanding. Otherwise, it's gonna be real hard to achieve JSDSI compatibility with other implementations even in the simplest cases. I'd appreciate your comment. Thanks. Best regards, Alexey |
|
From: Sameer A. <aj...@gm...> - 2005-06-06 13:38:04
|
Yes, JSDSI should be hashing the canonical representation of the public key. This is implemented using new Hash(principal), where principal might be a PublicKey or PublicKeyHash. S P.S. I gave you the wrong address for the list: it's jsd...@li... On 6/6/05, ale...@f-... <ale...@f-...> wrote: > Hello Sameer, >=20 > I sent the below message to jsdsi-users but received the "undeliverable" > notification back. Would appreciate your help. Thank you. >=20 >=20 > >Sure. You should send mail to jsd...@sf... rather than directly > >to me, as some of the other JSDSI developers may be better able to > >answer your questions. >=20 >=20 > Hello. >=20 > When representing a principle by the hash of its public key, > what exactly JSDSI applies the hash function to? Is that a full > S-exp representation of the public key, like > (10:public-key(14:rsa-pkcs1-sha1...)), > or something different? >=20 > Thank you. >=20 > Regards, >=20 > Alexey >=20 >=20 >=20 --=20 Sameer http://ajmani.net |
|
From: Sean R. <sra...@bl...> - 2004-11-03 15:46:35
|
Hi Will, (great to see another person looking at / using JSDSI and SPKI) William Harris Lawrence wrote: >- How does one generate a key pair from a .public and .private file to sign a certificate? > How did you create these files / what format are the keys in within them? >Specifically, I have been able to read an Alice.public file containing an RSA public key into a jsdsi.Obj. However, unlike Alex Morco's first implementation version of java sdsi, I see no method to create a RSAprivateKey from a sdsi object. The only examples I have seen in your tests to create a signature is from scratch by simply creating a keypair using jsdsi.RSAPublicKey.create(). > > If you have read the public key into a jsdsi.Obj, then I would guess that it is in fact a RSAPublicKey and you just need to cast it? Want to post some code snippets for us (me) to look at? Sean -- Dr. Sean Radford, MBBS, MSc sra...@bl... http://bladesys.demon.co.uk/ |
|
From: Dav C. <dav...@gm...> - 2004-09-12 07:15:41
|
Thanks, works great now! On Fri, 27 Aug 2004 21:17:01 +0100, Luis Pedro <lp...@ne...> wrote: > Dav, >=20 > In fact there was a bug!! Hum, how that happen :) :) Well, the error is > fixed, u can take the new AclEntry.java from CVS. >=20 > Good luck for your work. >=20 > -- Lu=EDs Pedro >=20 > _____________________ > yahoo: lpv_pt > msn: lp...@ne... >=20 > =BB -----Original Message----- > =BB From: jsd...@li... > =BB [mailto:jsd...@li...] On > =BB Behalf Of Dav Coleman > =BB Sent: sexta-feira, 27 de Agosto de 2004 17:59 > =BB To: jsdsi users > =BB Subject: [Jsdsi-users] unable to read AclEntry > =BB > =BB Hi, when using jsdsi.ObjInputStream I am unable to read a >=20 >=20 > =BB previously > =BB written AclEntry, using both the jsdsi-0.5.jar and the > =BB snapshot jar. > =BB I'm attaching a java source that shows this. > =BB > =BB Here's the exception: > =BB jsdsi.sexp.SexpParseException: expected list > =BB at jsdsi.sexp.SexpUtil.check(SexpUtil.java:109) > =BB at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:133) > =BB at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:142) > =BB at jsdsi.sexp.SexpUtil.getNextList(SexpUtil.java:171) > =BB at jsdsi.AclEntry.parseAclEntry(AclEntry.java:181) > =BB at jsdsi.Obj.parseObj(Obj.java:195) > =BB at jsdsi.Obj.parseObj(Obj.java:182) > =BB at jsdsi.sexp.ObjInputStream.readObj(ObjInputStream.java:52= ) > =BB at test.read(test.java:45) > =BB at test.main(test.java:67) > =BB > =BB For convenience, here's the javac and java cmds to test. > =BB > =BB javac -classpath extlib/jsdsi-0.5.jar test.java > =BB > =BB java -classpath > =BB .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test write test.acl > =BB cat test.acl > =BB java -classpath > =BB .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test read test.acl > =BB > =BB Is this a bug? > =BB > =BB -- > =BB Dav Coleman > =BB http://AkuAku.org/ > =BB >=20 >=20 --=20 Dav Coleman http://AkuAku.org/ |
|
From: Sean R. <sra...@ae...> - 2004-08-27 20:37:39
|
Luis Pedro wrote: >Sean, > >I've already commited AclEntry.java. It seems that Dav is in a hurry! > > -- Luís Pedro > > > Excellent. Thanks Luis. As Luis, says, good luck Dav. Sean -- Dr. Sean Radford, MBBS, MSc sra...@ae... http://www.aegeus-technology.com/ |
|
From: Luis P. <lp...@ne...> - 2004-08-27 20:17:34
|
Dav,
In fact there was a bug!! Hum, how that happen :) :) Well, the error is
fixed, u can take the new AclEntry.java from CVS.
Good luck for your work.
-- Lu=EDs Pedro
_____________________
yahoo: lpv_pt
msn: lp...@ne...
=20
=BB -----Original Message-----
=BB From: jsd...@li...=20
=BB [mailto:jsd...@li...] On=20
=BB Behalf Of Dav Coleman
=BB Sent: sexta-feira, 27 de Agosto de 2004 17:59
=BB To: jsdsi users
=BB Subject: [Jsdsi-users] unable to read AclEntry
=BB =20
=BB Hi, when using jsdsi.ObjInputStream I am unable to read a=20
=BB previously
=BB written AclEntry, using both the jsdsi-0.5.jar and the=20
=BB snapshot jar.
=BB I'm attaching a java source that shows this.
=BB =20
=BB Here's the exception:
=BB jsdsi.sexp.SexpParseException: expected list
=BB at jsdsi.sexp.SexpUtil.check(SexpUtil.java:109)
=BB at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:133)
=BB at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:142)
=BB at jsdsi.sexp.SexpUtil.getNextList(SexpUtil.java:171)
=BB at jsdsi.AclEntry.parseAclEntry(AclEntry.java:181)
=BB at jsdsi.Obj.parseObj(Obj.java:195)
=BB at jsdsi.Obj.parseObj(Obj.java:182)
=BB at =
jsdsi.sexp.ObjInputStream.readObj(ObjInputStream.java:52)
=BB at test.read(test.java:45)
=BB at test.main(test.java:67)
=BB =20
=BB For convenience, here's the javac and java cmds to test.
=BB =20
=BB javac -classpath extlib/jsdsi-0.5.jar test.java
=BB =20
=BB java -classpath=20
=BB .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test write test.acl
=BB cat test.acl
=BB java -classpath=20
=BB .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test read test.acl
=BB =20
=BB Is this a bug?
=BB =20
=BB --=20
=BB Dav Coleman
=BB http://AkuAku.org/
=BB =20
|
|
From: Sean R. <sra...@ae...> - 2004-08-27 18:40:50
|
Dav Coleman wrote: >Hi, when using jsdsi.ObjInputStream I am unable to read a previously >written AclEntry, using both the jsdsi-0.5.jar and the snapshot jar. >I'm attaching a java source that shows this. > >Here's the exception: >jsdsi.sexp.SexpParseException: expected list > at jsdsi.sexp.SexpUtil.check(SexpUtil.java:109) > at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:133) > at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:142) > at jsdsi.sexp.SexpUtil.getNextList(SexpUtil.java:171) > at jsdsi.AclEntry.parseAclEntry(AclEntry.java:181) > at jsdsi.Obj.parseObj(Obj.java:195) > at jsdsi.Obj.parseObj(Obj.java:182) > at jsdsi.sexp.ObjInputStream.readObj(ObjInputStream.java:52) > at test.read(test.java:45) > at test.main(test.java:67) > >For convenience, here's the javac and java cmds to test. > >javac -classpath extlib/jsdsi-0.5.jar test.java > >java -classpath .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test write test.acl >cat test.acl >java -classpath .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test read test.acl > >Is this a bug? > > > Sure looks like from your description. Most probably because no-one has yet used Acl objects really yet. I'll try to look into it tomorrow afternoon and hopefully get a fix into CVS. Sean -- Dr. Sean Radford, MBBS, MSc sra...@ae... http://www.aegeus-technology.com/ |
|
From: Dav C. <dav...@gm...> - 2004-08-27 16:58:35
|
Hi, when using jsdsi.ObjInputStream I am unable to read a previously
written AclEntry, using both the jsdsi-0.5.jar and the snapshot jar.
I'm attaching a java source that shows this.
Here's the exception:
jsdsi.sexp.SexpParseException: expected list
at jsdsi.sexp.SexpUtil.check(SexpUtil.java:109)
at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:133)
at jsdsi.sexp.SexpUtil.getList(SexpUtil.java:142)
at jsdsi.sexp.SexpUtil.getNextList(SexpUtil.java:171)
at jsdsi.AclEntry.parseAclEntry(AclEntry.java:181)
at jsdsi.Obj.parseObj(Obj.java:195)
at jsdsi.Obj.parseObj(Obj.java:182)
at jsdsi.sexp.ObjInputStream.readObj(ObjInputStream.java:52)
at test.read(test.java:45)
at test.main(test.java:67)
For convenience, here's the javac and java cmds to test.
javac -classpath extlib/jsdsi-0.5.jar test.java
java -classpath .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test write test.acl
cat test.acl
java -classpath .:extlib/cryptix32.jar:extlib/jsdsi-0.5.jar test read test.acl
Is this a bug?
--
Dav Coleman
http://AkuAku.org/
|
|
From: Sameer A. <aj...@gm...> - 2004-08-26 18:59:27
|
Dav,
What you're describing is a distributed certificate chain search. The
JSDSI Prover can do this for you, but it requires that you provide a
CertStore that does all the network communication for it. Details
below...
> Do you mean Alice created a NameCert tying Bobby's pubkey to the name
> Family and then sent it to me and I add it to my CertStore? I have to
> maintain copies of the name certificates for everyone else's local
> name space?
You don't need to add those certs to your local CertStore. However,
your local CertStore does need to know where to find those certs
(i.e., the ones issued by Alice). Here's what will happen: the Prover
will realize that it needs to find all Name certs issued by Alice for
the name "Family". To do this, it will call
certStore.getCertificates(new NameCertSelector(AlicePrincipal,
"Family")). The CertStore implementation will need to know how to
find the requested certs given this information (i.e., Alice's public
key). You can implement this however you want: you cna have all the
certs in a local collection (e.g., using jsdsi.CertStore), or you can
distribute the certs on many different sites (e.g., using
jsdsi.ldap.LDAPCertStore --- ask Luis Pedro for details on LDAP).
> Who creates that AuthCert, Bobby? Or do I have to maintain a
> comprehensive set of all possible authorizations for my resources?
You just need to create an AuthCert for each AclEntry. The issuer of
these AuthCerts is essentially your access controller: some principal
that represent the process that controls access to your resources. An
easy way to do this is to create a method like this:
void convertAclEntriesToAuthCerts(Acl acl, CertStore store) {
/**
For each AclEntry in acl:
1) Creates an AuthCert issued by "controller" whose subject is the
subject of the entry
2) Signs the cert using controller's private key.
3) Adds the signed cert to the CertStore.
**/
}
> I had been thinking that I only had to maintain my local namespace
> certificates and the AclEntries for my local resources.
True, but your CertStore needs to know where to find non-local certs,
as described above.
> I had thought that it would work something like this:
> - Bobby would create a request with his signature and send it to me.
Yes.
The Prover does all this for you:
> - I would look to see if I had a specific AclEntry for Bobby.
> - Not finding one, I would contact Alice's process (since some
> principal in her namespace does have an AclEntry) and see if she can
> map Bobby to Family using her local NameCerts and AuthCerts.
> - She would respond with something that signs Bobby's request
> verifying that he belongs to her Family
> - My process would now have a valid chain that links Bobby to the
> AclEntry for the resource and grants access.
Like I described in the last email, you just ask the Prover to try and
find a cert chain that proves that "controller" grants access to
Bobby. The certs we generated above for the ACL provide the starting
point. (The Prover notices that "controller" grants access to Alice")
The Prover then uses the CertStore to find additional certs for the
chain. (The Prover requests AuthCerts issued by Alice. The CertStore
returns one that says "Alice grants access to 'Family'". The Prover
then requests NameCerts issued by Alice for the name "Family." The
Prover returns three: "Alice's Family includes MomPrincipal", "Alice's
Family includes DadPrincipal", and "Alice's Family includes
BobbyPrincipal". At this point, the prover has a chain of 3 certs
that shows that the ACL ("controller") grants access to Bobby.)
Sameer
--
Sameer Ajmani
http://ajmani.net
|
|
From: Dav C. <dav...@gm...> - 2004-08-26 17:29:12
|
On Thu, 26 Aug 2004 12:52:05 -0400, Sameer Ajmani <aj...@gm...> wrote: > Alice can then grant access to her family using an AuthCert. Alice is > the issuer of this cert, and the subject is a name "Family" (the cert > has probably no propagate bit). Presumably, Alice has also issued > NameCerts that define which principals belong to the group named > "Family". (all these AuthCerts and NameCerts are in your CertStore) Do you mean Alice created a NameCert tying Bobby's pubkey to the name Family and then sent it to me and I add it to my CertStore? I have to maintain copies of the name certificates for everyone else's local name space? > When Bobby (Alice's brother) attempts to access the webcam, the access > controller (a process) attempts to prove an AuthCert that starts from > the principals in the Acl entries and ends with Bobby. Here's a > simple hack to make this work: Who creates that AuthCert, Bobby? Or do I have to maintain a comprehensive set of all possible authorizations for my resources? I had been thinking that I only had to maintain my local namespace certificates and the AclEntries for my local resources. I had thought that it would work something like this: - Bobby would create a request with his signature and send it to me. - I would look to see if I had a specific AclEntry for Bobby. - Not finding one, I would contact Alice's process (since some principal in her namespace does have an AclEntry) and see if she can map Bobby to Family using her local NameCerts and AuthCerts. - She would respond with something that signs Bobby's request verifying that he belongs to her Family - My process would now have a valid chain that links Bobby to the AclEntry for the resource and grants access. I'm off track there aren't I? -- Dav Coleman http://AkuAku.org/ |
|
From: Sameer A. <aj...@gm...> - 2004-08-26 16:52:09
|
Dav, You're on the right track. But unfortunately, JSDSI has not integrated AclEntries into its Prover process. But you can hack a basic version of this yourself: The AclEntry contains the "root of trust", e.g., it might have an entry that states that Alice has read access to the webcam and can propagate that access. Alice is the subject of that entry. Alice can then grant access to her family using an AuthCert. Alice is the issuer of this cert, and the subject is a name "Family" (the cert has probably no propagate bit). Presumably, Alice has also issued NameCerts that define which principals belong to the group named "Family". (all these AuthCerts and NameCerts are in your CertStore) When Bobby (Alice's brother) attempts to access the webcam, the access controller (a process) attempts to prove an AuthCert that starts from the principals in the Acl entries and ends with Bobby. Here's a simple hack to make this work: For each AclEntry, create an AuthCert whose issuer is some fake principal, like "root", and whose subject, tag, propagate bit, and validity are as given in the AclEntry. So in the example, you'd create an AuthCert whose issuer is root and whose subject is Alice, etc. Add these Certs to your CertStore. Now just attempt to prove the AuthCert, "root grants webcam-read-access to Bobby". If a proof is found, then Bobby has access. Sorry the support for this isn't better! Sameer On Thu, 26 Aug 2004 09:30:02 -0700, Dav Coleman <dav...@gm...> wrote: > I'm making progress on my JSDSI app. I can create keypairs, name > certificates and auth certificates so far. There's a GUI interface > that uses the file system for persistence (serialized unencrypted > HashMap for the KeyPairs at the moment, and a directory of > jsdsi.Certificate.toSequence() .certificate files created with > jsdsi.ObjOutputStream). > > I'm a little confused with how jsdsi.Acl and jsdsi.AuthCert work together. > > Is the idea that the AclEntry is the 'base' for all authorizations? > > Is this scenario compatible with the design intentions? : > > I want to grant a permission to access my webcam to the principal I > call Alice and her family. > > 1) I create a jsdsi.Tag that represents the webcam access. Say a > StringTag with the value "WEBCAM-READ" > 2) I create a NameCert that binds Alice's public key to the local > namespace name "Alice". I then wrap this in a jsdsi.Certificate and > store it in my CertStore. > 3) I create an AclEntry that associates the StringTag with Alice and > gives propagate permission. > 4) I store this in an jsdsi.Acl object. > 5) The jsdsi.Acl object is persisted to disk and should be encrypted > to avoid tampering. > > 6) Somehow (application-responsibility) communicate to the holder of > the Alice keypair that she has access to something represented as a > StringTag named "WEBCAM-READ" at some host. > > here's where I start getting really confused.... > > 7) Alice creates an AuthCert that delegates access to the StringTag > "WEBCAM-READ" to people bound to her local namespace as Family. This > is the only place where an AuthCert comes into play, when delegating a > Tag that was defined in someone else's Acl? > > 8) Alice wants to access the resource, so she creates some sort of > request JSDSI object that specifies > - the StringTag she is requesting access to > - A signature generated with her private key > .....what does this request look like? > > 9) When I receive this request, I have to verify that it comes from > Alice (using the Signature) and that Alice has access (using the Acl). > I assume that there are jsdsi facilities for doing this (probably > CertPathValidator or Prover I guess), but I haven't got this far yet > so I don't really know. > > 10) I'm even more confused as to how her family members create their > requests, although I assume if I can figure out how to complete a > circuit for Alice then I'll start to see how her family can do it. > > Am I on track at all here? I know this is probably a case of RTFM, but > there's so many different manuals, and frankly I don't trust that all > of them are consistent with the current JSDSI since some are for SPKI, > some are for SDSI (before the merge), some are for the old Java > implementation, some are for implementations in other languages.... > Whenever I get this working I'd like to write up some sort of online > article about how to use JSDSI in addition to publishing the demo code > so it would be a little more clear for other java app developers. > > I leave for Burning Man in two days, and then FOO Camp is three days > after I get back. I sort of don't think I'm going to have anything > ready to demo, but I'm still trying to make it happen. If I can get to > the point where I can complete an authorization/request circuit with a > couple of days left to spare then I might be able to build enough of > an example on top of that to at least demo the concept if not an > actual beta app. > > Thanks in advance for any advice! > > -- > Dav Coleman > http://AkuAku.org/ > > ------------------------------------------------------- > SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media > 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 > Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. > http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 > _______________________________________________ > Jsdsi-users mailing list > Jsd...@li... > https://lists.sourceforge.net/lists/listinfo/jsdsi-users > > -- Sameer Ajmani http://ajmani.net |
|
From: Dav C. <dav...@gm...> - 2004-08-26 16:30:07
|
I'm making progress on my JSDSI app. I can create keypairs, name certificates and auth certificates so far. There's a GUI interface that uses the file system for persistence (serialized unencrypted HashMap for the KeyPairs at the moment, and a directory of jsdsi.Certificate.toSequence() .certificate files created with jsdsi.ObjOutputStream). I'm a little confused with how jsdsi.Acl and jsdsi.AuthCert work together. Is the idea that the AclEntry is the 'base' for all authorizations? Is this scenario compatible with the design intentions? : I want to grant a permission to access my webcam to the principal I call Alice and her family. 1) I create a jsdsi.Tag that represents the webcam access. Say a StringTag with the value "WEBCAM-READ" 2) I create a NameCert that binds Alice's public key to the local namespace name "Alice". I then wrap this in a jsdsi.Certificate and store it in my CertStore. 3) I create an AclEntry that associates the StringTag with Alice and gives propagate permission. 4) I store this in an jsdsi.Acl object. 5) The jsdsi.Acl object is persisted to disk and should be encrypted to avoid tampering. 6) Somehow (application-responsibility) communicate to the holder of the Alice keypair that she has access to something represented as a StringTag named "WEBCAM-READ" at some host. here's where I start getting really confused.... 7) Alice creates an AuthCert that delegates access to the StringTag "WEBCAM-READ" to people bound to her local namespace as Family. This is the only place where an AuthCert comes into play, when delegating a Tag that was defined in someone else's Acl? 8) Alice wants to access the resource, so she creates some sort of request JSDSI object that specifies - the StringTag she is requesting access to - A signature generated with her private key ....what does this request look like? 9) When I receive this request, I have to verify that it comes from Alice (using the Signature) and that Alice has access (using the Acl). I assume that there are jsdsi facilities for doing this (probably CertPathValidator or Prover I guess), but I haven't got this far yet so I don't really know. 10) I'm even more confused as to how her family members create their requests, although I assume if I can figure out how to complete a circuit for Alice then I'll start to see how her family can do it. Am I on track at all here? I know this is probably a case of RTFM, but there's so many different manuals, and frankly I don't trust that all of them are consistent with the current JSDSI since some are for SPKI, some are for SDSI (before the merge), some are for the old Java implementation, some are for implementations in other languages.... Whenever I get this working I'd like to write up some sort of online article about how to use JSDSI in addition to publishing the demo code so it would be a little more clear for other java app developers. I leave for Burning Man in two days, and then FOO Camp is three days after I get back. I sort of don't think I'm going to have anything ready to demo, but I'm still trying to make it happen. If I can get to the point where I can complete an authorization/request circuit with a couple of days left to spare then I might be able to build enough of an example on top of that to at least demo the concept if not an actual beta app. Thanks in advance for any advice! -- Dav Coleman http://AkuAku.org/ |
1 message has been excluded from this view by a project administrator.
