On 11 Feb 2010, at 20:24, Sergiu Dumitriu wrote:
On 02/10/2010 12:44 PM, Story Henry wrote:
Hi,
Having got Xwiki to produce RDFa (very easy), and having switched of
Twitter to allow me to concentrate,I am now working on allowing a
user to click a button in his profile, and have it create a foaf+ssl
certificate (which is just a normal certificate, but with a URL in
the subject alternative name). The code for this is very simple:
http://github.com/harbulot/keygenapp/blob/master/samplewebapp/src/main/java…
(with a few lines of tweaks required to add the certificate
information to the profile page).
What happens is that a<keygen> XML element is added to a<form>
element in the user's profile page. This forces the browser (Safari,
Firefox, Opera) to create a<public, private> key pair and send the
public part to the servlet referred to above (MiniCaServlet). That
What about IE? Not that I like it, but most enterprise users are still
on IE6.
You can do it as shown here I think. This html calls this javascript:
http://github.com/harbulot/keygenapp/blob/master/samplewebapp/src/main/weba…
will call this javascript
http://github.com/harbulot/keygenapp/blob/master/samplewebapp/src/main/weba…
With IE one has to use an ActiveX component. We have not checked this out that much yet,
and it may be possible to do a lot better that that javascript....
More on
http://esw.w3.org/topic/foaf+ssl
servlet creates a certificate and sends it back
to an invisible
iframe. The browser then adds that cert to the keystore (this is done
automatically, it's part of browser behavior).
Do you have a link to some documentation about this behavior?
Yes, it is now defined in HTML5
http://dev.w3.org/html5/spec/Overview.html#the-keygen-element
So to move this code to XWiki, I understand I
should create a
component. I read about it here:
http://platform.xwiki.org/xwiki/bin/view/DevGuide/WritingComponents
Yes, that's the right approach. You should also read about the new
scripting service, see
http://jira.xwiki.org/jira/browse/XWIKI-4853 and
http://markmail.org/thread/g4z56pl734lng2ym
and it makes sense. From a component I can get
the user, and from
that I can get his profile page, and then I can add the public key
information to his profile (I wrote a RSAKeyClass in Xwiki to do
this).
RSAKeyClass as a class inside com.xpn.xwiki.objects.classes, similar to
PasswordClass, NumberClass and the like? Yes, that is good. You also
need a RSAKeyMetaClass in com.xpn.xwiki.objects.meta, and register it in
com.xpn.xwiki.objects.meta.MetaClass
Alternatively, you could just use the TextAreaClass for the moment,
although that's 0 security.
(No we don't want people to edit their public/private keys. That would just cause
confusion.)
The component should finally send the newly
generated certificate
back to the client, which it can do because it has access the the
HTTPServletResponse.
But where would I put such a component? In a specific wiki page?
Better as a jar inside WEB-INF/lib. Given that it adds a new property
type to the data model, it should be a key component inside the platform.
Does all that make sense? If not let me know
before I go and code it
up.
Looks good to me so far, but I have a couple more questions/suggestions:
- You must make sure that the private key can't be publicly accessed
There are two keys that need to be mentioned here:
- the key from the browser: the browser will only send the public key to the server, so
it is up to the client to be careful about this
- the key of the Xwiki server that will sign the incoming keys
One could create a certificate on the fly per installation of an Xwiki server, as this
just needs to be self signed. Well it would be useful to make it a little specific, by for
example giving a reasonable LDAP name (Distinguished Name) to it
- What do you plan to do with these keys afterwards?
- The process that you described (browser creates key, sends public part
to server, server creates certificate and sends back to browser) does
not mention anything about what happens within the user profile. Could
you go into more details?
The user profile will show a public key marked up in RDFa. There could be a number of
them. See my profile
http://bblfish.net/ for an example.
This is then used to authenticate the user. More on the wiki, but the short version is
here:
http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to
Henry
Henry
PS. It would be fun later to have the User's Profile page be a bit
Ajaxy, so that if it notices a change to the invisible iframe the
browser can make a reques to XWiki to refresh the table of public
keys displayed to the user.
Social Web Architect
http://bblfish.net/
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs