Re: Web-of-trust authentication in OpenSSL.
Dr Bob wrote: Dear OpenSSL developers, I've been developing an private peer-to-peer application based on OpenSSL (Thank you, to all the developers who have put time into OpenSSL) Initially I used X509 certificates for the authentication between peers, However I quickly realised that a hierarchical certificate structure was not ideal, and that a Web of Trust system would be required. So I've implemented an web-of-trust style authentication system inside OpenSSL. It is basically a combination of OpenPGP style certificates and SSL3/TSL1 connection After 6+ months of work, I've finished the first working prototype. and would like to share it with the OpenSSL developers of the world (and contribute back). Hence this email! So: (1) Is OpenSSL interested in including this work into the code base (provided its up-to-scratch etc...) ? (2) If so, is there anyone who could [guide/help] me to clean it up and correctly merge the code? (3) What are the procedures for doing so (I'm new around here) I haven't put the code on the website yet, (soon... there is never enough time to get everything done). but you can see it at work in my application: RetroShare available at http://www.lunamutt.com. Looking forward to any comments. Thanks. Mark. --- More information about the implementation follows. The work was done on openssl-0.9.7g, and consisted of the following modifications: (a) define a ASN1 web-of-trust certificate (a XPGP Certificate) + implement helper functions. (b) create a XPGP_method() derived from the ssl3 methods. This effectively uses the XPGP certificate instead of the X509 certificate. (all the rest is the same) (c) create a web-of-trust authentication system. Most of the implementation fits in nicely with the rest of openSSL. The most significant issues are: (1) the SSL part of OpenSSL does not allow alternative certificate types, I therefore transformed CERT into a union. (I'm all ears for alternatives) (2) The Authentication System is current rather crude and inefficient, and is not connected to the STOREs in anyway. (probably needs a redesign) (3) the Certificate Definition needs to be checked. (would like to make it compatible with GPG/OpenPGP etc) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] Dear DR Bob i installed retroshare on windows some questions : whats the gui library name why retroshare uses selfsigned pgp certificate . how can i find more people usinn this software regrads __ Shahin Khorasani PKI Dept. Sharif SecureWare Co. www.parssign.com __ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Web-of-trust authentication in OpenSSL.
You should be able to implement your code using the callbacks, without having to add code to the library directly. This is, I believe, not available in 0.9.7g -- most of the callbacks were implemented in 0.9.8. (You should always be able to contribute in the contrib/ directory, though examples of how to use the library as-is without having to recompile it are likely more includable. An example of how to extend the authentication mechanism, though, is definitely useful.) If you make the code available, this is an area that I have interest in, and would gladly help with making 0.9.8- and 0.9.9-capable. [more comments interspersed below] On 9/26/06, Dr Bob [EMAIL PROTECTED] wrote: Initially I used X509 certificates for the authentication between peers, However I quickly realised that a hierarchical certificate structure was not ideal, and that a Web of Trust system would be required. I would like to have a hybrid WoT and hierarchal system (i.e., if people I trust show that they trust a given issuer for a given domain, I'd like to be able to trust that issuer for that domain... such as [EMAIL PROTECTED] being able to issue to [EMAIL PROTECTED] and [EMAIL PROTECTED]). I think that this is probably possible with the OpenPGP trusted introducers concept? So: (1) Is OpenSSL interested in including this work into the code base (provided its up-to-scratch etc...) ? It's unlikely to be put into the main code base, as it adds a new set of security-related functions which would need to be audited, etc. As I suggested, though, it might do well in the contrib/ section (though I'm not a core developer, and have no commit access, so I can't prove that point). :) (2) If so, is there anyone who could [guide/help] me to clean it up and correctly merge the code? Run it through indent. Also, document your functions, what incoming constraints there are, and what output constraints you guarantee. I'd gladly help with the cleanup process (again, that's for 0.9.8 and 0.9.9 capability). (3) What are the procedures for doing so (I'm new around here) Umm... I would think that you could file a patch against the base OpenSSL distribution in rt, with the code appropriately located in contrib/. I don't know for certain, though. -Kyle H __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
