Hello Nuno, In the meantime there has been some discussion on the OASIS XDI TC list on these access control questions: http://lists.oasis-open.org/archives/xdi/201005/msg00004.html http://lists.oasis-open.org/archives/xdi/201006/msg00007.html
The consensus seems to be that there can be different ways in which people can authenticate to an XDI endpoint (e.g. by signature, password, OAuth token, etc). And that - like you suggest - if the XDI endpoint "belongs to you", link contract enforcement is bypassed. Markus On Wed, May 19, 2010 at 2:32 AM, Nuno Rosa <[email protected]> wrote: > Hi Markus. > > Yes it really helped. I forgot to decode the key string. > > In the meanwhile if you could give a clarification on that flow: > The message structure we send to the i-broker to retrieve account details > (http://www.ibrokerkit.com/components/XdiFrontExamples/) > > =web*markus > $is$a > = > $password > "secret" > $get > / > =web*markus > +city > +country > > > If a subject has a $password predicate should the sender always be capable > to operate on it (providing the secret) without signing the message and > avoid link contracts? > Will it be a part of XDI specification or let for implementors to decide? > > Thank you, > Nuno R. > > 2010/5/19 Markus Sabadello <[email protected]> > > Hello Nuno, >> >> First of all, this is EXACTLY what we in the XDI world are envisioning, >> i.e. a flow like this: >> 1. User (or web service acting on behalf of user) retrieves private/public >> key pair associated with the i-name. This is done by sending an XDI message >> to the i-broker (e.g. freexri.com) that includes the i-name's password >> 2. User (or web service acting on behalf of user) can now send signed XDI >> messages to XDI endpoints. >> 3. XDI endpoints can discover the user's certificate using XRI resolution >> and therefore verify the incoming XDI messages. >> >> Now to your question: >> >> I'm not familiar with the methods you are using. I normally do it like >> this: >> >> import java.security.KeyFactory; >> import java.security.PrivateKey; >> import java.security.spec.PKCS8EncodedKeySpec; >> >> import org.apache.commons.codec.binary.Base64; >> import org.eclipse.higgins.xdi4j.Graph; >> import org.eclipse.higgins.xdi4j.messaging.Message; >> import org.eclipse.higgins.xdi4j.messaging.MessageEnvelope; >> import org.eclipse.higgins.xdi4j.messaging.Operation; >> import org.eclipse.higgins.xdi4j.signatures.Signatures; >> import org.eclipse.higgins.xdi4j.xri3.impl.XRI3Segment; >> >> public class Test { >> >> public static final String ENCRYPTION_ALGORITHM = "RSA"; >> >> public static void main(String[] args) throws Exception { >> >> String strKey = "MIIEwAI....."; >> >> KeyFactory keyFactory = >> KeyFactory.getInstance(ENCRYPTION_ALGORITHM); >> PKCS8EncodedKeySpec privateKeySpec = new >> PKCS8EncodedKeySpec(Base64.decodeBase64(strKey.getBytes())); >> PrivateKey privateKey = >> keyFactory.generatePrivate(privateKeySpec); >> >> MessageEnvelope envelope = MessageEnvelope.newInstance(); >> Message message = envelope.newMessage(new XRI3Segment("=markus")); >> Operation operation = message.createGetOperation(); >> Graph operationGraph = operation.createOperationGraph(null); >> operationGraph.createStatement(new XRI3Segment("=markus"), new >> XRI3Segment("+email")); >> >> Signatures.sign(message.getSubject(), privateKey); >> >> System.out.println(envelope.toString()); >> } >> } >> >> Does that help? Let me know if you still have trouble or other questions.. >> >> Markus >> >> On Tue, May 18, 2010 at 12:24 PM, Nuno Rosa <[email protected]>wrote: >> >>> Hi, >>> >>> freexri.com issued a certificate associated with my i-name and i got a >>> private key to sign messages and grant authenticity; >>> but i'm having a hard time trying to sign xdi message envelopes. >>> Here's a snippet of my code: >>> >>> final String strKey = "MIIEvwIBADANB...." >>> [...] >>> DerValue dv = new DerValue(strKey); >>> envelope.sign(PKCS8Key.parseKey(dv)); >>> >>> >>> it throws the following error: >>> >>> *Exception in thread "main" java.io.IOException: corrupt private key* >>> * **at sun.security.pkcs.PKCS8Key.parseKey(PKCS8Key.java:104)* >>> * >>> * >>> * >>> * >>> Can you give me some hints, example on how to sign it? >>> >>> Best regards, >>> Nuno R. >>> >>> _______________________________________________ >>> higgins-dev mailing list >>> [email protected] >>> https://dev.eclipse.org/mailman/listinfo/higgins-dev >>> >>> >> >> _______________________________________________ >> higgins-dev mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/higgins-dev >> >> > > _______________________________________________ > higgins-dev mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/higgins-dev > >
_______________________________________________ higgins-dev mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/higgins-dev
