Re: Sketch of a very simple identification protocol from Arturo 'Buanzo' Busleiman on 2008-04-02 (ietf-http-wg@w3.org from April to June 2008)

From: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
Date: Wed, 02 Apr 2008 14:48:57 +0000
To: Story Henry <henry.story@bblfish.net>
Cc: Henrik Nordstrom <henrik@henriknordstrom.net>, HTTP Group Working <ietf-http-wg@w3.org>
Message-ID: <47F39808.5080103@buanzo.com.ar>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Story Henry wrote:
| Very interesting. I'd love to hear Arturo's feedback.

Hi Everybody, thanks for drawing me into this conversation. You can call me Buanzo. That URL is not
really well maintained, so I'll provide better ones at the end of this message.

Enigform is a Mozilla Firefox extension that provides the ability of signing requests. Actually,
signing certain elements of the request (some headers, and the GET query string or POST payload).
The signature and other elements such as Enigform version and GnuPG Version are appended to the request.

mod_openpgp is the Apache module that provides the necessary server-side element. It gets signed
requests, verifies them, and adds headers with the useful information which can then be used by PHP,
etc. It can also import a public key sent via Enigform through an HTTP request but I might remove
that functionality or make it a server-side option.

But the most interesting feature is actually the Session Initiation Protocol. In short:

1) Browser sends a pgp-signed "begin session" request
2) Server verifies it, then generates (and stores) a hash which is sent (in encrypted form using PGP
to the Client's public key) to the Browser.
3) Browser receives that hash, decrypts it. From then on, this session hash will be appended to
every outgoing request to the server. The session hash is included as one of input elements for the
pgp signature embedded in every request.
4) Server can verify if any subsequent request has a valid session hash. Of course, the session is
only verified if the request has a valid signature which includes it. Extra headers are added for
PHP, etc to use as application credentials.

So, basicly, if I hit "Login", I get logged-in without pain and quite securely.

Now, for those URLs:

http://enigform.mozdev.org  - Main Enigform site (firefox plugin)
http://freshmeat.net/articles/view/2599/ (an old freshmeat article I wrote in the early days)
http://www.freesoftwaremagazine.com/blogs/interview_with_arturo_busleiman (interview with some
ideas, like how to use this for internet banking)
http://en.wikipedia.org/wiki/Enigform
http://en.wikipedia.org/wiki/Mod_auth_openpgp (next stable release will get the name changed to
mod_openpgp).

I think I should subscribe



- --
Arturo "Buanzo" Busleiman
Reliable inter-continental Mail Relay Service - Ask me!
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH85gIAlpOsGhXcE0RCsWmAJ9S4Br0QHk5IdlVgj6yw+kl/igXCACdFF0N
3pTse3qr29AcsEuVDsl6ZQw=
=d51t
-----END PGP SIGNATURE-----

Received on Wednesday, 2 April 2008 19:37:13 UTC