Forum OpenACS Q&A: Certificate Authority module

Collapse
Posted by Pascal Scheffers on
I have been wondering if anyone would be interested in having an
integrated (SPKI) Certificate Authority in OpenACS. This could be
neat for things like (administrator) certificate logon, and peer-to-
peer signed and/or encrypted email, signed bboard postings and
whatnot. Your OpenACS-Certificate Authority Certifcate could be a
root CA (like Verisign is) or a sub-CA. The OpenSSL crypto libraries
can be used to create certificate authority software without too much
effort, so we would not need any proprietary software.

Is this something worth writing?

Collapse
Posted by Don Baccus on
Wouldn't something like this make more sense if it were generalized in a way useful to the opennsd community at large?
Collapse
Posted by Pascal Scheffers on
Well, to make it good for the community-at-large, we could setup openacs.org as the root Certificate Authority and give all openacs sites the option to get their SSL-server certificate from that server. Next up we could start issuing sub-CA certificates to all OpenACS sites out there, so they can give out certificates to their members.

For developers we could use it to enable package signing, so OpenACS packages can be downloaded directly from the internet and you can be certain it has not been modified.

Personaly I am not really into code-signing, as this tends to give a very false sense of security, and in general is not worth the effort. I would just like to do signed postings and email.

Collapse
Posted by Tom Mizukami on
I would be very interested. After a user fills out a form and submits, I need to be able to return a confirmation form that the user can then apply an electronic signature to.
Collapse
Posted by Todd Gillespie on
Such an app would rock the free world, or at least my neighborhood.  I would love to certify that other servers trying to dump large XML files directly into my DB that they are who they say they are.
<p>
"I have heard of a DOM<br>
who forms documents so beautifully<br>
that if he only speaks it's &lt!DOCTYPE&gt<br>
servers give root to him.<br>
If I am numb upon the console,<br>
while silence blossoms like tumors on XEmacs,<br>
it is because I hear the sound<br>
of a POST <br>
cross the firewall<br>
and utter '&lt?xml version="1.0"?&gt'<br>
outside my door."<p>
<i>with apologies to Leonard Cohen</i>
Collapse
Posted by Pascal Scheffers on
Tom,
client side signatures on browser forms are, unfortunately,
not trivial at the moment. There is no standard browser command that
lets you sign things. In internet explorer, everything would be
available from VBScript, but that would raise hell dialog wise on the
client side (expect something like four different warnings from IE
before the user can sign something).

A better approach would be a browser plug-in. There are some
commercial products available, if
someone knows of a free plugin, please speak up!
I have no idea of how to do this in Netscape, although, god forbid, I
am willing to go for a IE only solution at first. I am not very
impressed by the ease-of-use of the Netscape certificate store & handling.

Certificate logon is a standard feature of IE 4+ and Netscape 4+ (the
earlier versions do something, but suck big time.), so community
members will be able to logon with their certificates. If you are not
too picky, certificate logon can be viewed as 'signing a form'
although it is definitely something else.

Todd,
server-to-server communication with server-to-server
certificates is also somewhat problematic, as (again) there are not
many good/free https protocol implementations out there that can perform
this trick (there are plenty commercial solutions). It can be done
with OpenSSL, by the
way. For server-to-server I would probably suggest using an open
source  tunneling
solution.

Collapse
Posted by Albert Langer on
Integrated PKI certificates sounds great idea!!!

BTW postgresql now has plpython as a stored procedure language
and there is a python CA:

http://www.pyca.de/

http://users.ids.net/~bosma/

Python crypto just wraps C libraries like OpenSSL
so should be as efficient as possible.

Dunno, but it might be possible to do this as
a generic PostgreSQL facility that can be used
with OpenACS, by doing most of it right within
the database and just the minimum extra in the
web platform. Could reach "critical mass" quicker
as well as being a very optimal design.