Sounds interesting.. I think I will take this to the developers mailing list and see if I will be able to generate some interest in the idea..
Albin onsdag den 4. juli 2012 skrev Jan Bot : > Hi, > > This would really be a great feature: I'm using CouchDB to manage grid > compute jobs and having the ability to sign a document using a private key > and check it server side with the public key could really make couchdb part > of the grid infrastructure. > > Cheers, > > Jan > > On Wed, Jul 4, 2012 at 11:17 AM, Albin Stigö > <[email protected]<javascript:;>> > wrote: > > > Hi, > > > > Jens, thanks for the link. Did you ever finish the app where you were > > using these techniques? > > > > First I naively thought that it would be enough to hash the body of > > what you are going to PUT/POST and then sign that hash and include the > > signature as a custom http header. I guess this would work for > > verifying the data on the first post but you would not be able to > > verify the signature later if couchdb does any parsing of the > > transported data. > > > > What you are suggesting using a canonical representation of of JSON > > seems like a much better idea it also apparently what oauth uses. > > > > I guess this would require some hacking on couchdb. It would be really > > neat to have a _keys database much like the _users and for for > > documents to have a _signature field. What do you thin..? > > > > --Albin > > > > > > > > On Wed, Jul 4, 2012 at 3:07 AM, Jens Alfke > > <[email protected]<javascript:;>> > wrote: > > > > > > On Jul 3, 2012, at 10:01 AM, Jim Klo wrote: > > > > > >> Yes, and as a matter of fact, i just got digital signature validation > > using OpenPGP within a map function working a few minutes ago! > > >> Here's a link to the relevant code: > > > https://github.com/jimklo/TheCollector/blob/master/dataservices/thecollector-resources/views/lib/sig_utils.js > > > > > > As far as I can tell, this code uses a data schema where the signed > > contents are wrapped in some kind of OpenPGP encoding: > > > > > >> var msg_list = > > openpgp.read_message(doc.digital_signature.signature); > > >> for (var i=0; i<msg_list.length; i++) { > > >> isValid |= msg_list[i].verifySignature(); > > >> } > > > > > > It looks like msg_list is the actual document payload, which has to be > > decoded using openpgp.read_message. > > > > > > This is IMHO not a very good solution because it hides the document > > contents away — for example, all the map functions and any app logic that > > uses documents will have to know to call read_message, which will also > make > > them slower. > > > > > > The schema I implemented (see my previous message) doesn't alter the > > basic document format. The signature is in a nested object but applies to > > the entire document contents (minus the signature itself of course). > > There's no need to change any code that reads documents; the only time > you > > have to know about the signature scheme is while verifying the signature. > > It's even possible to have multiple signatures on a document. > > > > > > —Jens > > >
