[e-lang] Fwd: Chat with kpreid at waterpoint.org
Thomas Leonard
tal at it-innovation.soton.ac.uk
Thu Sep 24 05:37:13 EDT 2009
On Sat, 2009-09-19 at 12:40 -0700, Bill Frantz wrote:
> erights at gmail.com (Mark Miller) on Saturday, September 19, 2009 wrote:
>
> >On Thu, Sep 17, 2009 at 10:11 AM, Thomas Leonard
> ><tal at it-innovation.soton.ac.uk> wrote:
> >> One thing that is slightly bothering me is that it doesn't seem to use
> >> SSL/TLS. I found this page:
> >>
> >> http://www.erights.org/elib/distrib/vattp/SSLvsDataComm.html
> >>
> >> but it is dated 1998. I think I will have a hard time trying to convince
> >> people that E's custom system is secure / will be updated if problems
> >> are found. It would make my life easier if I could just say it uses the
> >> Java SSL libraries for transport layer security.
> >
> >...
> >
> >* Switching from our custom DataComm to a VatTP layered on top of TLS.
[...]
> When two vats connect, they exchange public keys. The vats check the public
> key they receive against the SHA1 hash in any sturdy refs to be used,
> providing assurance that the remote vat is indeed the correct vat. This
> procedure is quite different from the certificate authority procedure used
> by standard SSL/TLS. It is not clear that all SSL/TLS libraries will have
> the user-exits to support this form of authentication. It may be necessary
> to adopt an new approach to provide distributed public key authentication.
I'm not sure about other languages, but in Java you should be able to do
something like this, creating a new socket factory for each connection
(untested):
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(myKeyManagers, new TrustManager[] {new CapTPTrustManager(vatPublicKeyHash)}, null);
SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
...
class CapTPTrustManager implements X509TrustManager {
...
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// compare chain[0]'s public key against vatPublicKeyHash...
}
}
--
Dr Thomas Leonard
IT Innovation Centre
2 Venture Road
Southampton
Hampshire SO16 7NP
Tel: +44 0 23 8076 0834
Fax: +44 0 23 8076 0833
mailto:tal at it-innovation.soton.ac.uk
http://www.it-innovation.soton.ac.uk
More information about the e-lang
mailing list