Menu
▾
▴
opensst-developer — Developer mailing list about OpenSST
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
(1) |
Apr
(9) |
May
(4) |
Jun
(64) |
Jul
(5) |
Aug
(19) |
Sep
(7) |
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(13) |
Feb
|
Mar
(3) |
Apr
(9) |
May
(3) |
Jun
|
Jul
|
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Pascal S. <Pas...@se...> - 2003-08-14 15:09:01
|
Hi, If your are looking to use XML Sig / Enc as a replacement of the current openSST message format, maybe you can take a look at the openXades project (http://www.openxades.org/), developped by the estonian CA (SK, http://www.sk.ee/, see also http://www.id.ee/). They also used the concept of a generic XML message (well they call it document) format for storing the data to be signed or encrypted. Only hick, is that the mainly focus on signing and not so much on encryption, but it could maybe help you anyway. Regards, Pascal On Thu, 2003-08-14 at 11:18, Alexandre Dulaunoy wrote: > On Thu, 14 Aug 2003, Sebastien Stormacq - Senior Architect - Software S= ervices Belux wrote: >=20 > > Hello, > >=20 > > Once again ... I think it migth be interresting to investigate the SA= ML=20 > > spec to replace / embrace the existing opensst message format > >=20 > > http://weblogs.java.net/pub/wlg/331 > >=20 >=20 > SAML is 'mainly' of the exchange of authentication and authorization > date in a XML format. SAML is only a part of Web Services security and > do not provide 'directly' a new general format for post-processing > message or signed messages. So I can't see where we can use it for the > message format. SAML is a friend of XACML. SAML can use XML > Signature / XML Encryption standard and they are not directly > connected. =20 >=20 > I tend to consider that XML Signature / XML Encryption standard[3][4] > is a possible replacement for the current OpenSST message format. They > are implementation (one year ago it wasn't the case) of XML Signature > / XML Encryption standard available and working quite well. For the > XML Security Library[1] done by Aleksey Sanin is an excellent piece of > software. They are existing method and approch for session key based > messages : > http://www.aleksey.com/xmlsec/api/xmlsec-encrypt-with-session-key.html.= =20 >=20 > The main issue is the complexity of the standard itself, look at the > MUST/SHOULD keyword in the standard. Sometimes (often?), the standard > is not fully supported by lack of various encryption in the > cryptography librairies[2]=20 >=20 > So building, a small message format using (a subset?) of XML Signature > / XML Encryption seems quite possible.=20 >=20 > The main advantage of XML Sig/Enc is that can be applied to arbitrary > digital content. We have also to dig the Canonical and Exclusive > Canonical issue in order to provide an easy way, they are somes > libraries available doing that (for example, the example Gnome Libxml2 > library).=20 >=20 > So we can imagine, an existing <OpenSSTdata part>/<OpenSSTheader part> > with an enveloping signature <Object><data id part /> <header part > /></Object or a detached signature (with an uri reference inside the > document).=20 >=20 > For the encryption, we can imagine an encryption on the whole element > (in a first version) of OpenSSTdata part (header to ? or another > encapsulated header part ?). <EncryptedData> > <CipherData><CipherValue>...<CipherValue>...=20 >=20 > The ordering is easily solve by following the ordering of decryption > and verification in the standard. (xmlenc-decrypt) >=20 > What do you think of that ? We have to define the data part (quite the > same as the current part ?) and the header part (is it needed?) ?=20 >=20 > Thanks, >=20 > Have a nice day, >=20 > adulau >=20 > [1] http://www.aleksey.com/xmlsec/ > [2] http://www.aleksey.com/xmlsec/xmldsig.html > [3] http://www.w3.org/TR/xmldsig-core/ > [4] http://www.w3.org/TR/xmlenc-core/ --=20 Pascal Steichen Minist=C3=A8re de l'Economie Direction de l'Energie et des Communications LuxTrust GIE 19-21 boulevard Royal L-2449 Luxembourg t=C3=A9l: +352 478 4179 fax: +352 478 4311 e-mail: pas...@se... |
|
From: Alexandre D. <ad...@fo...> - 2003-08-14 10:35:39
|
On Thu, 14 Aug 2003, Sebastien Stormacq - Senior Architect - Software Services Belux wrote: > Hello, > > Once again ... I think it migth be interresting to investigate the SAML > spec to replace / embrace the existing opensst message format > > http://weblogs.java.net/pub/wlg/331 > SAML is 'mainly' of the exchange of authentication and authorization date in a XML format. SAML is only a part of Web Services security and do not provide 'directly' a new general format for post-processing message or signed messages. So I can't see where we can use it for the message format. SAML is a friend of XACML. SAML can use XML Signature / XML Encryption standard and they are not directly connected. I tend to consider that XML Signature / XML Encryption standard[3][4] is a possible replacement for the current OpenSST message format. They are implementation (one year ago it wasn't the case) of XML Signature / XML Encryption standard available and working quite well. For the XML Security Library[1] done by Aleksey Sanin is an excellent piece of software. They are existing method and approch for session key based messages : http://www.aleksey.com/xmlsec/api/xmlsec-encrypt-with-session-key.html. The main issue is the complexity of the standard itself, look at the MUST/SHOULD keyword in the standard. Sometimes (often?), the standard is not fully supported by lack of various encryption in the cryptography librairies[2] So building, a small message format using (a subset?) of XML Signature / XML Encryption seems quite possible. The main advantage of XML Sig/Enc is that can be applied to arbitrary digital content. We have also to dig the Canonical and Exclusive Canonical issue in order to provide an easy way, they are somes libraries available doing that (for example, the example Gnome Libxml2 library). So we can imagine, an existing <OpenSSTdata part>/<OpenSSTheader part> with an enveloping signature <Object><data id part /> <header part /></Object or a detached signature (with an uri reference inside the document). For the encryption, we can imagine an encryption on the whole element (in a first version) of OpenSSTdata part (header to ? or another encapsulated header part ?). <EncryptedData> <CipherData><CipherValue>...<CipherValue>... The ordering is easily solve by following the ordering of decryption and verification in the standard. (xmlenc-decrypt) What do you think of that ? We have to define the data part (quite the same as the current part ?) and the header part (is it needed?) ? Thanks, Have a nice day, adulau [1] http://www.aleksey.com/xmlsec/ [2] http://www.aleksey.com/xmlsec/xmldsig.html [3] http://www.w3.org/TR/xmldsig-core/ [4] http://www.w3.org/TR/xmlenc-core/ -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov |
|
From: Alexandre D. <ad...@fo...> - 2003-08-14 09:51:16
|
On Thu, 14 Aug 2003, Sebastien Stormacq - Senior Architect - Software Services Belux wrote: > Hello, > > Once again ... I think it migth be interresting to investigate the SAML > spec to replace / embrace the existing opensst message format > > http://weblogs.java.net/pub/wlg/331 > SAML is 'mainly' of the exchange of authentication and authorization date in a XML format. SAML is only a part of Web Services security and do not provide 'directly' a new general format for post-processing message or signed messages. So I can't see where we can use it for the message format. SAML is a friend of XACML. SAML can use XML Signature / XML Encryption standard and they are not directly connected. I tend to consider that XML Signature / XML Encryption standard[3][4] is a possible replacement for the current OpenSST message format. They are implementation (one year ago it wasn't the case) of XML Signature / XML Encryption standard available and working quite well. For the XML Security Library[1] done by Aleksey Sanin is an excellent piece of software. They are existing method and approch for session key based messages : http://www.aleksey.com/xmlsec/api/xmlsec-encrypt-with-session-key.html. The main issue is the complexity of the standard itself, look at the MUST/SHOULD keyword in the standard. Sometimes (often?), the standard is not fully supported by lack of various encryption in the cryptography librairies[2] So building, a small message format using (a subset?) of XML Signature / XML Encryption seems quite possible. The main advantage of XML Sig/Enc is that can be applied to arbitrary digital content. We have also to dig the Canonical and Exclusive Canonical issue in order to provide an easy way, they are somes libraries available doing that (for example, the example Gnome Libxml2 library). So we can imagine, an existing <OpenSSTdata part>/<OpenSSTheader part> with an enveloping signature <Object><data id part /> <header part /></Object or a detached signature (with an uri reference inside the document). For the encryption, we can imagine an encryption on the whole element (in a first version) of OpenSSTdata part (header to ? or another encapsulated header part ?). <EncryptedData> <CipherData><CipherValue>...<CipherValue>... The ordering is easily solve by following the ordering of decryption and verification in the standard. (xmlenc-decrypt) What do you think of that ? We have to define the data part (quite the same as the current part ?) and the header part (is it needed?) ? Thanks, Have a nice day, adulau [1] http://www.aleksey.com/xmlsec/ [2] http://www.aleksey.com/xmlsec/xmldsig.html [3] http://www.w3.org/TR/xmldsig-core/ [4] http://www.w3.org/TR/xmlenc-core/ -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov |
|
From: <se...@ma...> - 2003-05-31 08:25:59
|
Hello, In order to strictly comply with GNU GPL v2, we decided to replace the JDOM library used in the Java Prototype by another library having a GNU GPL v2 compliant license. DOM4J was meeting this criteria. Stephan (Student from the IST) made the necessary code modifications during his assignment at Aubay. The modified source code will be available today on SourceForge's CVS Bin and Src released will follow as usual. Enjoy ! Seb |
|
From: XinHua Z. <zh...@Te...> - 2003-05-01 13:12:12
|
Hello, In my test, After I confiurge the environment varialbe, every is ok. I test it in Windows system. regards, Xinhua -----Original Message----- From: ope...@li... [mailto:ope...@li...]On Behalf Of Stormacq, Sebastien Sent: Donnerstag, 1. Mai 2003 09:30 To: jyo...@ne... Cc: ope...@li... Subject: Re: [Opensst-developer] (no subject) Hello, > I followed the instructions to the letter, had everything installed > and set up properly, still I get the following error when I try to > start a new session and the key authentication process: > > "The URL you requested does not identify a valid object on this server. > Please verify that the URL used is indeed correct, and try again. > Please contact the server administrator if you have any questions." > I never saw this error message ... what piece of software is saying that ? The browser, the server ? Is the server correctly setup ? When Tomcat is installed properly, you should see the Tomcat welcome page and some demo programs at http://localhost:8080 What is the log saying ? On the server, the logs are in $TOMCAT_HOME/logs (mainly catalina.out) On the client, you should either start the client from the command line (ant run will do the trick when ant is installed :-) or configure the Java Web Start to open up the console ate startup time Normally, the logs should give more information Hope this helps seb ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Opensst-developer mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensst-developer |
|
From:
<S.S...@au...> - 2003-05-01 07:30:41
|
Hello, > I followed the instructions to the letter, had everything installed > and set up properly, still I get the following error when I try to > start a new session and the key authentication process: > > "The URL you requested does not identify a valid object on this server. > Please verify that the URL used is indeed correct, and try again. > Please contact the server administrator if you have any questions." > I never saw this error message ... what piece of software is saying that ? The browser, the server ? Is the server correctly setup ? When Tomcat is installed properly, you should see the Tomcat welcome page and some demo programs at http://localhost:8080 What is the log saying ? On the server, the logs are in $TOMCAT_HOME/logs (mainly catalina.out) On the client, you should either start the client from the command line (ant run will do the trick when ant is installed :-) or configure the Java Web Start to open up the console ate startup time Normally, the logs should give more information Hope this helps seb |
|
From: <jyo...@ne...> - 2003-04-30 21:13:22
|
Hello, I followed the instructions to the letter, had everything installed and set up properly, still I get the following error when I try to start a new session and the key authentication process: "The URL you requested does not identify a valid object on this server. Please verify that the URL used is indeed correct, and try again. Please contact the server administrator if you have any questions." Has this something to do with my set-up? Please let me know. Thanks, Jyothi __________________________________________________________________ Try AOL and get 1045 hours FREE for 45 days! http://free.aol.com/tryaolfree/index.adp?375380 Get AOL Instant Messenger 5.1 for FREE! Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455 |
|
From:
<S.S...@au...> - 2003-04-29 06:38:44
|
Hello, I have corrected the bug that prevents opensst server to start when it does not find its logging configuration file. The new class OpenSSTLogger is under CVS (common project) I have not build a binary distribution yet but this is quite easy to do starting from CVS and using the provided ant scripts hope this helps Seb |
|
From:
<S.S...@au...> - 2003-04-28 18:30:26
|
Hello, > Thanks! but could you tell me which place I should set JAVA_OPTS env. > variable. > Is it in a special file? It's an environment variable and, with unix system, it can be set anywhere from a command line From Windows, you can set it using the System icon in the control panel, then choose "Environment Variable" or in a DOS box should you decide to start:stop Tomcat from the command line This must be set before starting tomcat hope this helps seb |
|
From:
<S.S...@au...> - 2003-04-27 18:21:02
|
I may have forgotten something in the doc ... I discovered that yesterday. Before starting the server, you have to set the JAVA_OPTS env. variable to tell the server were it can find its configuration file. It seems that there is a bug in the server that prevent it to find the file if the env. variable is not set. here is my settings export JAVA_OPTS="-ea -Dtomcat -Dorg.opensst.logging.config.file=http://localhost:8080/openSST-server/ config/logging.properties" the -ea is to activate the assertion the -Dtomcat is to easily find the server JVM in the ps -ax output (when you have several JVM running ...) and the latest -D sets the locations of the server's logging config file Just tell me if this is working, i'll update my package with an up-to-date doc sorry for the inconveniences Seb On dimanche, avr 27, 2003, at 19:47 Europe/Brussels, XinHua Zhang wrote: > Hello, Sebastien, > > I just test the openSST java prototype you updated on 5th April, > However, when I click "create a new session", the browser always > show: > > HTTP ERROR: 500 Internal Server Error > > java.lang.NullPointerException > RequestURI=/openSST-Init > > I think there are no problems of Tomcat and JWS in my computer. > should I yet make other configuration? > > Thanks. > > Xinhua > |
|
From: XinHua Z. <zh...@Te...> - 2003-04-27 17:43:39
|
Hello, Sebastien, I just test the openSST java prototype you updated on 5th April, However, when I click "create a new session", the browser always show: HTTP ERROR: 500 Internal Server Error java.lang.NullPointerException RequestURI=/openSST-Init I think there are no problems of Tomcat and JWS in my computer. should I yet make other configuration? Thanks. Xinhua |
|
From: <jyo...@ne...> - 2003-04-18 15:19:42
|
Hello, Thank you for the detailed instructions. The problems I was facing were because of the way my system was set up. Now I've got everything up and running properly. I'm really sorry for the delay in getting back to you. But school-work and job-work were taking their toll on me. So now I'm all set to start working. Please let me know if you have any projects that I can work on. As I said earlier, I am interested in working on security-related issues. Thanks again for your help. I look forward to hearing from you soon. -Jyothi ope...@li... wrote: >Send Opensst-developer mailing list submissions to > ope...@li... > >To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/opensst-developer >or, via email, send a message with subject or body 'help' to > ope...@li... > >You can reach the person managing the list at > ope...@li... > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Opensst-developer digest..." > > >Today's Topics: > > 1. Installation HTTP Proxy (=?iso-8859-1?Q?=22Stormacq=2C_S=E9bastien=22?=) > >--__--__-- > >Message: 1 >From: =?iso-8859-1?Q?=22Stormacq=2C_S=E9bastien=22?= > <S.S...@au...> >To: ste...@is..., ope...@li... >Date: Thu, 10 Apr 2003 21:58:36 +0200 >Subject: [Opensst-developer] Installation HTTP Proxy > >Dear All, > >I have packaged the few files needed to start the openSST HTTP proxy in >a quick and easy way. >The files are available for download from www.sf.net/projects/opensst. >This is a binary only package that is based on today's CVS image. > >The package contains everything you need to start using the HTTP Proxy >in less than 15 minutes (should you have installed the preriquisite >software beforehand :-) > >The package also contains a readme file that details the preriquisites >and a step by step instructions. > >I don't think I can do something easier to install .... check and see by >yourself ! > >Enjoy > >Seb > > > >--__--__-- > >_______________________________________________ >Opensst-developer mailing list >Ope...@li... >https://lists.sourceforge.net/lists/listinfo/opensst-developer > > >End of Opensst-developer Digest > __________________________________________________________________ Try AOL and get 1045 hours FREE for 45 days! http://free.aol.com/tryaolfree/index.adp?375380 Get AOL Instant Messenger 5.1 for FREE! Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455 |
|
From:
<S.S...@au...> - 2003-04-10 20:00:46
|
Dear All, I have packaged the few files needed to start the openSST HTTP proxy in a quick and easy way. The files are available for download from www.sf.net/projects/opensst. This is a binary only package that is based on today's CVS image. The package contains everything you need to start using the HTTP Proxy in less than 15 minutes (should you have installed the preriquisite software beforehand :-) The package also contains a readme file that details the preriquisites and a step by step instructions. I don't think I can do something easier to install .... check and see by yourself ! Enjoy Seb |
|
From:
<S.S...@au...> - 2003-04-05 13:25:05
|
Hello, I have significantly changed the way the client locates its configuration file. I created a openSST-client.war file that can be deployed on tomcat as well This should reduced the complexity to start the client since all config files are now relative to the localhost:8080 URL instead of my local directory structure. The changes are commited to CVS I know have to rewrite the readme to decsribe step by step what needs to be done to start the whole think, starting from an empty machine :-) This involves compiling the code but also signing libs (to be distributed with JWS), creating the server key pair, the user db etc ... I'll try to do this next week Seb On jeudi, avr 3, 2003, at 19:26 Europe/Brussels, jyo...@ne... wrote: > In the meantime, I would like to understand what has been achieved so > far in this project. I tried installing the prototype, but my attempt > has been unsuccessful. I followed the instructions from the > README.html page, I was able to start the key generator, but when I > tried to start Tomcat (by issuing ./startup.sh), a NULL pointer > exception is thrown, and things don't quite work the way we want them > to. Am I going off the track in understanding things here? Please let > me know. > normally, tomcat shoudl start silently without any error. The tomcat code is only activated when the first request arrives... any tomcat error before handling the fisrt opensst request is probably not linked with opensst itself. May I suggest you to subscribe on the developer mailing list, this will make our conversations more easy to archive :-) Thanks Seb |
|
From:
<S.S...@au...> - 2003-04-04 17:58:59
|
Pour info
Begin forwarded message:
> From: jyo...@ne...
> Date: Jeu avr 3, 2003 19:26:22 Europe/Brussels
> To: S.S...@au... ("Stormacq, S=E9bastien"))
> Subject: Request for suggestions
>
> Hello Mr. Sebastien,
>
> Thank you very much for your quick response. I am glad I could get in =
> touch with you this soon. I was discussing some areas I could work on =
> with a friend, who has taken part in this project (Purushottam=20
> Komaravolu). I will come up with one specific area in a day or two =
and=20
> let you know.
>
> I didn't mention my background in my earlier mail. Here it is. I did=20
> my Bachelor's from India, majoring in Computer Science. I am =
currently=20
> pursuing my Master's degree which I mentioned in my earlier mail. I =
am=20
> comfortable working in UNIX environment and C/Java languages.
>
> In the meantime, I would like to understand what has been achieved so =
> far in this project. I tried installing the prototype, but my attempt =
> has been unsuccessful. I followed the instructions from the=20
> README.html page, I was able to start the key generator, but when I=20
> tried to start Tomcat (by issuing ./startup.sh), a NULL pointer=20
> exception is thrown, and things don't quite work the way we want them =
> to. Am I going off the track in understanding things here? Please let =
> me know.
>
> Also, if you could suggest some readings for things I need to know to =
> be able to work on this project, it would help a lot.
>
> Thank you very much for writing back and offering to help.
>
> Regards,
> Jyothi
>
> "Stormacq, S=E9bastien"<S.S...@au...> wrote:
>
>> Hi Jyothi,
>>
>> I forwarded your message to the mailing list that includes all the
>> people and companies involved with OpenSST. =A0We have a lot of =
areas to
>> improve. =A0Give us just a little time to organize our ideas and we =
will
>> get back to you (it is just a matter of a few days :-)
>> In the meantime, do not hesitate to ask any questions you could have =
>> on
>> the subject. =A0I will be glad to help you to understand, or install =
the
>> proto we have. =A0(this could point to the missing stuffs in the =
doc)
>> Do you have any particular idea on something you would like to work =
on
>> ? =A0Anything that could be needed by another project, product,=20
>> companies
>> ? =A0In other words : what are the stuffs you would like to improve =
(or
>> change) in the opensst prototypes ?
>>
>> Thanks for your interest
>>
>> Kind regards,
>>
>> Seb
>>
>> On mercredi, avr 2, 2003, at 22:55 Europe/Brussels, Jyothi Kuruvada
>> wrote:
>>
>>>
>>> Hello!
>>>
>>> I am Jyothi. I am doing my Master's (major: Computer
>>> Science) at the University of Toledo, OH, USA.
>>>
>>> I would like to participate in this project and work on
>>> some module, which will become my Master's project. I
>>> was interested in working on Network Security and was
>>> told by a friend this would be a good project for my
>>> Master's degree.
>>>
>>> Please let me know if I can have the pleasure of joining
>>> this group and working on the project.
>>>
>>> I look forward to hearing from you soon.
>>>
>>> Thank you!
>>>
>>> -Jyothi Kuruvada
>>>
>> --
>> S=E9bastien Stormacq
>> Chief Architect
>> Aubay Luxembourg
>>
>
> __________________________________________________________________
> Try AOL and get 1045 hours FREE for 45 days!
> http://free.aol.com/tryaolfree/index.adp?375380
>
> Get AOL Instant Messenger 5.1 for FREE! Download Now!
> http://aim.aol.com/aimnew/Aim/register.adp?promo=3D380455
>
--
S=E9bastien Stormacq
Chief Architect
Aubay Luxembourg
|
|
From: Alexandre D. <al...@co...> - 2003-03-18 22:23:33
|
On Sun, 16 Mar 2003, "Stormacq, Sébastien" wrote: > Hello, > > > We have currently a discussion in order to store the key used by > > OpenSST in the OpenSST format itself. This could reduce the code > > complexity and ease the compatibility between the OpenSST > > implementation. > > > > If you have any comments, strong feeling that is not required or > > strong feeling that is required, please let me know. > > why not , We will automatically have key encryption and signature, > this is cool. Yes. The parser could be the same for everything. Without having an ASN.1 parser in the implementation ;-) > However, > > 1) there are so many existing standard for storing key (PKCSnn series), > why propose another one ? Yes but we have a big discussion with for example the PKCS#8 attributes for private keys. This quite fix and this is not really flexible for having a quite large private keyring. A simple solution would be to include a XML tree with a specific OpenSST type for storing the keys in a tree. Some testing will be published and I hope the subject will generate ideas (the liasit student is working on that). > 2) IMHO, this is not protocol related, this is just a technique used by > one implementation. This should not be a requirement for all > implementations This could be part of the "OpenSST : Security Consideration Documents". I need to publish the current status of the different documents (Message Format Description, Protocol Description and Security Consideration). Secure Storing could be requirement following the requirement of "customer"/user policy. This could be discussed in that document. Have a nice night. adulau -- Alexandre Dulaunoy -- http://www.foo.be/ 3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD --- AD993-6BONE "People who fight may lose.People who do not fight have already lost." Bertolt Brecht |
|
From:
<S.S...@au...> - 2003-03-16 17:00:35
|
Hello, > We have currently a discussion in order to store the key used by > OpenSST in the OpenSST format itself. This could reduce the code > complexity and ease the compatibility between the OpenSST > implementation. > > If you have any comments, strong feeling that is not required or > strong feeling that is required, please let me know. why not , We will automatically have key encryption and signature, this is cool. However, 1) there are so many existing standard for storing key (PKCSnn series), why propose another one ? 2) IMHO, this is not protocol related, this is just a technique used by one implementation. This should not be a requirement for all implementations Have a nice evening, Seb |
|
From: Alexandre D. <ad...@fo...> - 2003-03-13 09:28:23
|
We have currently a discussion in order to store the key used by OpenSST in the OpenSST format itself. This could reduce the code complexity and ease the compatibility between the OpenSST implementation. If you have any comments, strong feeling that is not required or strong feeling that is required, please let me know. Have a nice day. adulau -- Alexandre Dulaunoy -- http://www.foo.be/ 3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD --- AD993-6BONE "People who fight may lose.People who do not fight have already lost." Bertolt Brecht |
|
From:
<S.S...@au...> - 2003-01-23 18:27:15
|
Pascal, Pascal Steichen wrote: > Well, as the client has to fill, set the config in his config file, I > think the use of a simple properties file would be easier accepted and > understood as a "complicated" xml file. XML is really powerfull, and I'm > pretty impressed about your xml messages, but for a config file I think > a properties file would do the thing, no need of a dtd, no need of > updating syntax and/or style, etc... it's pure text ! I dont think a end user should ever directly modify this file. A UI should be provided. Therefore, the exact file format is not very revelant (as long as we are talking about the end user). For us, developpers, I agree to say that any ascii file format will be easier to use that a binary format (serialized class) Using XML allows to leverage the programming techniques used everywhere else within the programs. :-) Anyway ... as with many other subject, I guess we will have as many opinion as people involved :-))) >>On the other hand, since we are in the context of a web application : >>i really like the idea of having the user's properties stored on the >>server (and the file being exchanged through opensst messages). This >>solution solves all deployment issues we are facing > > > That sounds really good to me. The user properties could be stored on > the server, and ciphered with his public key, so only he can use them. > But I don't know if you want to go that far ? I realize later last nigth that this was a silly proposition from my side. The purpose of the config file is to give the proxy some config file some info that will allow it to, amongst other, connect to the server. In this regard, the config file can not be stored on the server ! Unless, we are 100% sure that we won't ever need to store any connection related information. I'd like to have the advise from other on that topic before choosing. > The modif is in the OpenSSTServlet class (the proxy config on the client > is handled by the JWS :)), here are the stuff I added : OK, that's another good reason to use JWS. I never checked that aspect of JWS. Really a good point. On the other side : is there really a reason to use a proxy on the server-side ? Thanks for the code. > Eh, another thing, I heard that there is an initiative about testing > interoperability of openSST and idx-pki (from idealx), do you know more > about that, cause that would interset me aswell ? I don't know the exact status of this. Check that with Christophe Feltus and/or Alexandre Dulaunoy. They are booth on the ope...@li... mailing list Seb |
|
From: Pascal S. <Pas...@se...> - 2003-01-23 08:27:26
|
On Wed, 2003-01-22 at 20:03, "Stormacq, S=E9bastien" wrote:
> Hello Pascal,=20
>=20
>> I've got a liitle class, used in some other java apps, that handles,
>> pretty nicely, a global properties file containing the config=20
>> variables. If you want to go the properties way for externalizing=20
>> config variables, I suggest taking a look at my class (see=20
>> attachement, package has to be adapted of course <image.tiff>).=20
>=20
> I am always hesitating between a regular Java properties file and an
> XML file=20
>=20
> Maybe you have arguments that can help to choose between the two.=20
>=20
>=20
> Anyway, your class (and my hesitation) only address part of the
> problem : the reading and writing of the data itself. This is only the
> top of the iceberg on this topic and the most easy part to solve :-)=20
>=20
>=20
> The real problem, according to me, is to let the client figure out
> where the configuration file is and how he can read/write to it.=20
Well, as the client has to fill, set the config in his config file, I
think the use of a simple properties file would be easier accepted and
understood as a "complicated" xml file. XML is really powerfull, and I'm
pretty impressed about your xml messages, but for a config file I think
a properties file would do the thing, no need of a dtd, no need of
updating syntax and/or style, etc... it's pure text !
>=20
> As you have noticed, a JWS application can not write the file system
> as easily : we have to use JWS storage services.=20
>=20
>=20
> On the other hand, since we are in the context of a web application :
> i really like the idea of having the user's properties stored on the
> server (and the file being exchanged through opensst messages). This
> solution solves all deployment issues we are facing=20
That sounds really good to me. The user properties could be stored on
the server, and ciphered with his public key, so only he can use them.
But I don't know if you want to go that far ?
>=20
>=20
> P.S.: Bytheway, I test the stuff about the server being behind a
> proxy, works ok and is really easy to implement. The use a config
> properties file for tis too would be perfect.=20
>=20
>=20
> I really would like to see your modif (even with hardcoded proxy)=20
>=20
> The output of a "diff -c"is fine for me.=20
>=20
> I can commit that in the CVS tree=20
The modif is in the OpenSSTServlet class (the proxy config on the client
is handled by the JWS :)), here are the stuff I added :=20
Two global variables :
//if server is behind proxy=20
// use these :
private static final String SERVER_PROXY=3D"proxy.domain.tld";
private static final String SERVER_PROXY_PORT=3D"1234";
Setting of the proxy config into the system properties :
/**
* Forward the call we just receive to the specified URL.
*
* @param destinationURL where we need to forward the call
* @param httpHeaders the HTTP headers given by the browser
to the local proxy
* @param httpCommand the HTTP command to use (GET, POST,
...)
* @param urlParams the URL params as received by the browser
* @param httOUTHeaders an empty map that will be populated=20
with the HTTP headers send by the server (including cookies)
* @return the output of the forwarded call
*/
private HTTPResponse forwardCall(String destinationURL, String =09
httpCommand, Map httpHeaders, =09
Map urlParams, Map httpOutHeader) {
//testing proxy config
Properties prop =3D new Properties();
prop.put("http.proxyHost",SERVER_PROXY);
prop.put("http.proxyPort",SERVER_PROXY_PORT);
=20
return HTTPHelper.getInstance().connect(destinationURL, null,
httpHeaders, httpCommand, urlParams, =20
httpOutHeader, prop);
=20
}
I had also to modify slightly the HTTPHelper.connect() method, to accept
the proxy config :
public HTTPResponse connect(String url, String dataToSend, Map =20
httpHeaders, String sendMethod, Map urlParams, Map
httpOUTHeaders) {
return connect(url, dataToSend, httpHeaders, sendMethod, =09
urlParams, httpOUTHeaders,null);
}
=20
/**
* Connect to an URL and gives the result back.
* It can also optionnaly post a set of data.
*=20
* @todo we should find a more efficient way to read the stream
of bytes
* @param url the URL where we need to connect
* @param dataToSend the optional data to send
* @param httpHeaders the HTTP headers to send
* @param sendMethod the method to use when data will be =20
send (post or get)
* @param httOUTHeaders an empty map that will be populated =20
with the HTTP headers send by the server (including cookies)
* @param sysProps customized system properties, like proxy =09
server etc.
* @return the result, as received from the server
*/
public HTTPResponse connect(String url, String dataToSend, Map
httpHeaders, String sendMethod, Map urlParams, Map
httpOUTHeaders, Properties sysProps) {
=09
HTTPResponse result =3D null;
=20
=20
if ( (sendMethod =3D=3D null ) || ! (sendMethod.equals("POST") ||
sendMethod.equals("GET")) ) {
throw new IllegalArgumentException("HTTPHelper.connect
receives an invalid argument for sendMethod: " +
sendMethod);
} =20
=20
try {
if (urlParams !=3D null && !urlParams.isEmpty() &&
sendMethod.equals("GET")) {
//add the param to the URL
url =3D addParams(url, urlParams);
}
URL realURL =3D new URL(url);
=20
if ( sysProps !=3D null && !sysProps.isEmpty()) {
//add these properties to system the system properties
Properties prop =3D System.getProperties();
prop.putAll(sysProps);
}
=20
HttpURLConnection uc =3D
(HttpURLConnection)realURL.openConnection();
uc.setDoInput(true);
uc.setRequestMethod(sendMethod);
.
.
.
.
etc.
To put short one has to add http.proxyHost and http.proxyPort to the
system properties !
>=20
>=20
> Thanks for the effort and your suggestions=20
I really appreciate developping and contributing to the open-source
community. And I think that you project is very nice.
Eh, another thing, I heard that there is an initiative about testing
interoperability of openSST and idx-pki (from idealx), do you know more
about that, cause that would interset me aswell ?
>=20
>=20
> Seb
--=20
pst
|
|
From:
<S.S...@au...> - 2003-01-22 19:03:54
|
Hello Pascal, > I've got a liitle class, used in some other java apps, that handles, > pretty nicely, a global properties file containing the config variables. > If you want to go the properties way for externalizing config variables, I > suggest taking a look at my class (see attachement, package has to be > adapted of course <image.tiff>). > > I am always hesitating between a regular Java properties file and an XML file Maybe you have arguments that can help to choose between the two. Anyway, your class (and my hesitation) only address part of the problem : the reading and writing of the data itself. This is only the top of the iceberg on this topic and the most easy part to solve :-) The real problem, according to me, is to let the client figure out where the configuration file is and how he can read/write to it. As you have noticed, a JWS application can not write the file system as easily : we have to use JWS storage services. On the other hand, since we are in the context of a web application : i really like the idea of having the user's properties stored on the server (and the file being exchanged through opensst messages). This solution solves all deployment issues we are facing > P.S.: Bytheway, I test the stuff about the server being behind a proxy, > works ok and is really easy to implement. The use a config properties file > for tis too would be perfect. > > I really would like to see your modif (even with hardcoded proxy) The output of a "diff -c"is fine for me. I can commit that in the CVS tree Thanks for the effort and your suggestions Seb |
|
From: Pascal S. <Pas...@se...> - 2003-01-22 16:08:20
|
Hi, I've got a liitle class, used in some other java apps, that handles, pretty nicely, a global properties file containing the config variables. If you want to go the properties way for externalizing config variables, I suggest taking a look at my class (see attachement, package has to be adapted of course :)). If this is ok for you, I can even do it and commit it into the cvs tree, just tell me. P.S.: Bytheway, I test the stuff about the server being behind a proxy, works ok and is really easy to implement. The use a config properties file for tis too would be perfect. -- pst |
|
From:
<S.S...@au...> - 2003-01-16 10:30:14
|
Hello, >>I was planning to add some nice UI to let the user choose the location. >>For the server application, this should be part of the servlet >>init-param (in web.xml) >> Having thinked a little bit about this ... I should use the webstart API to have access to some storage mecanism on the client side The code should probably be smart enough to figure out if it was launched with WebStart or not and behave accordingly It's probably a 1 day dev >>It's not implemented yet. >>I alreay played with proxy, it must be quite easy since it is supported >>by the URL.openConnection() (or something similar) java method >>The proxy address should also be part of the user's config > > > Ok I'm gonna focus on that, so I can get a completely working test suite > :) Thank you very much Seb |
|
From: Pascal S. <Pas...@se...> - 2003-01-16 08:18:08
|
On Thu, 2003-01-16 at 09:05, "Stormacq, S=E9bastien" wrote: > >> Seb I think the /home/sst comes from the ant build.xml file, of the > >> client or the server, don't remember :) >=20 > okay, that' it ! Soryy I didn't look at the code since some months :-) >=20 > > > > Well I didn't really found a solution to that user.home problem, but > > thought about it. Putting it in /tmp ? too risky =3D security issue != The > > only solution would be that the user has to specify where to put the > > keystore, during key enrollement. >=20 > I was planning to add some nice UI to let the user choose the location. > For the server application, this should be part of the servlet=20 > init-param (in web.xml) >=20 > > > > In the meanwhile I hard coded it again to continue the tests. I've go= t > > another question : When using the openSST-Base function to get an > > encrypted tunnel to another location how do you handle users being > > behind a proxy or firewall already (which is the case most of the tim= e > > !) ? Cause I am, and always get a "Connection timeout" error ! Where=20 > > can > > I say to openSST-proxy that it should communicate with my other proxy= ? > > Didn't found that in the code yet :( > > >=20 > It's not implemented yet. > I alreay played with proxy, it must be quite easy since it is supported= =20 > by the URL.openConnection() (or something similar) java method > The proxy address should also be part of the user's config Ok I'm gonna focus on that, so I can get a completely working test suite :) >=20 > Seb --=20 pst |
|
From:
<S.S...@au...> - 2003-01-16 08:06:44
|
>> Seb I think the /home/sst comes from the ant build.xml file, of the >> client or the server, don't remember :) okay, that' it ! Soryy I didn't look at the code since some months :-) > > Well I didn't really found a solution to that user.home problem, but > thought about it. Putting it in /tmp ? too risky = security issue ! The > only solution would be that the user has to specify where to put the > keystore, during key enrollement. I was planning to add some nice UI to let the user choose the location. For the server application, this should be part of the servlet init-param (in web.xml) > > In the meanwhile I hard coded it again to continue the tests. I've got > another question : When using the openSST-Base function to get an > encrypted tunnel to another location how do you handle users being > behind a proxy or firewall already (which is the case most of the time > !) ? Cause I am, and always get a "Connection timeout" error ! Where > can > I say to openSST-proxy that it should communicate with my other proxy ? > Didn't found that in the code yet :( > It's not implemented yet. I alreay played with proxy, it must be quite easy since it is supported by the URL.openConnection() (or something similar) java method The proxy address should also be part of the user's config Seb |
6 messages has been excluded from this view by a project administrator.
