Re: [ogpx] Fwd: Context for Service Establishment in OGP

Yes, that's what .NET does. You define a callback that has access to a helper function to determine if all the crypto bits are in the right spot, but other than a basic sanity check you have to walk the certificate chain yourself and do your own checks. "Does the fingerprint of this cert match my intermediate cert or the root cert? If yes..."

John

> -----Original Message-----
> From: Infinity Linden [mailto:infinity@lindenlab.com]
> Sent: Monday, June 01, 2009 11:20 AM
> To: Hurliman, John
> Cc: ogpx@ietf.org
> Subject: Re: [ogpx] Fwd: Context for Service Establishment in OGP
> 
> cool. lemme go look at it. i think the one thing we're looking at
> doing that's "allowed by pkix, x.509 and TLS; but not implemented by
> many libraries" is the ability to do cert chain validation based on
> the root AND an intermediate cert. i'm most familiar with OpenSSL that
> allows you to define a callout for cert chain validation (but which is
> a royal pain in the keester to implement). i'm assuming other stacks
> have the ability to do similar callouts, and it sounds like you're
> about 95% of the way there already.
> 
> hmm... lemme write down a few notes about where i think we're at with
> the PKI stuff so peeps can see if it makes sense to them
> 
> -cheers
> -m
> 
> On Mon, Jun 1, 2009 at 11:09 AM, Hurliman, John
> <john.hurliman@intel.com> wrote:
>> (I made the same mistake in response)
>> 
>> If it's of any use, I wrote a C# library called OpenMetaverse.Http
> that is capable of generating root certificates and signed client
> certificates that can be fed into HttpWebRequest as an SSL client
> cert, plus some basic routines for doing the cert checks on the
> server. Right now it's only doing a very crude check to make sure the
> root certificate shows up somewhere in the certificate chain of the
> client cert and that the chain is valid. No revocation checks or anything.
>> 
>> John
>> 
>>> -----Original Message-----
>>> From: ogpx-bounces@ietf.org [mailto:ogpx-bounces@ietf.org] On
>>> Behalf Of Infinity Linden
>>> Sent: Monday, June 01, 2009 11:04 AM
>>> To: ogpx@ietf.org
>>> Subject: [ogpx] Fwd: Context for Service Establishment in OGP
>>> 
>>> whoops... sent "reply" instead of "reply to all"...
>>> 
>>> 
>>> ---------- Forwarded message ----------
>>> From: Infinity Linden <infinity@lindenlab.com>
>>> Date: Mon, Jun 1, 2009 at 11:03 AM
>>> Subject: Re: [ogpx] Context for Service Establishment in OGP
>>> To: "Hurliman, John" <john.hurliman@intel.com>
>>> 
>>> 
>>> kk. david and i are threatening to just go off and hack OpenSim to
>>> handle the X.509 client certiness. i think we're probably going to do
>>> a few more rounds of thought experiments and documenting before we run
>>> off and do that, though.
>>> 
>>> we might want to all three meet in world somewhere (with the agenda
>>> and minutes of the meeting posted here so other interested peeps
>>> can
>>> participate) and come up with a plan for merging your OAuth stuff
>>> with the X.509 stuff we're doing.
>>> 
>>> in theory... at the end of this process, we'll have a document that
>>> describes what we've been doing; what worked; what didn't. we then
>>> get to add that to a draft somewhere and declare victory.
>>> 
>>> -cheers
>>> 
>>> On Mon, Jun 1, 2009 at 10:43 AM, Hurliman, John
>>> <john.hurliman@intel.com> wrote:
>>>> Great to see these ideas written down and being refined. I'm eager
>>>> to see the client cert + OAuth example.
>>>> 
>>>> John
>>>> 
>>>>> -----Original Message-----
>>>>> From: ogpx-bounces@ietf.org [mailto:ogpx-bounces@ietf.org] On
>>>>> Behalf Of Infinity Linden
>>>>> Sent: Monday, June 01, 2009 2:50 AM
>>>>> To: ogpx@ietf.org
>>>>> Subject: [ogpx] Context for Service Establishment in OGP
>>>>> 
>>>>> whoops... that last message went out without context...
>>>>> 
>>>>> i've been talking with John Hurliman about OAuth and David Lavine
>>>>> regarding X.509, and at some point it made sense to abstract the
>>>>> three different authentication / authorization schemes into a single
>>>>> "service establishment pattern." The message I just sent out really
>>>>> describes only the mechanism (and only enough mechanism to
>>>>> understand the concept.) over the next couple of weeks, i'd like to
>>>>> add some more detail to this and integrate it into the OGP :
>>>>> Authentication document. So feedback will definitely be welcomed.
>>>>> 
>>>>> to recap:
>>>>> 
>>>>> * there are three different types of authentication / authorization:
>>>>> password, X.509 and OAuth * password auth is appropriate for user ->
>>>>> server authentication * X.509 is appropriate for server <-> server
>>>>> authentication, and * OAuth is appropriate for server -> distant
>>>>> peer (whom you may not have an explicit trust relationship with.) *
>>>>> in all cases, you start with an authenticator (a password, a
>>>>> certificate or a token) and by presenting it to a server at a well
>>>>> defined service establishment URL, you'll get a seed cap back * with
>>>>> that seed cap, you can request those specific capabilities you
>>>>> require
>>>>> 
>>>>> more details and examples forthcoming.
>>>>> 
>>>>> -cheers
>>>>> -meadhbh
>>>>> _______________________________________________
>>>>> ogpx mailing list
>>>>> ogpx@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/ogpx
>>>> _______________________________________________
>>>> ogpx mailing list
>>>> ogpx@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ogpx
>>>> 
>>> _______________________________________________
>>> ogpx mailing list
>>> ogpx@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ogpx
>>