< Previous by Date	Date Index	Next by Date >
	Thread Index

[reSIProcate] Plan to finish work for certs

From: Cullen Jennings <fluffy@xxxxxxxxx>
Date: Mon, 29 Nov 2004 08:49:25 -0800

Ok, I am trying to figure out how we can finish up al the stuff we started
last weekend. 

DTLS - Nagendra seems well on his way to having this going. He is extending
the limpc program so that it can use DTLS as a transport. We will probably
need to put a copy of his SSL mods in the contrib. directory until it gets
merged with marline OpenSSL. He added a new USE_DTLS compile define for
this. 

Security - Need to compile in some root certificates including cacert root.

TLS - need to add stuff to check that certificate chain is when initiating a
connection. Retest all TLS stuff - we did many changes. Would rather wait
till DTLS stuff is in before redoing all testing. Need to test all the
corner cases where the other side can crash at all various stages of a TLS
setup. Need to check code, may still have one case where we asynchronously
block during the handshake - this would be very bad.

Identity Creation. I think the stuff to sign is largely in. If Jason could
host a proxy that did this, it would be very convenient to use it for test.

Identity Checking. We need a DUM based program that when it receives some
message with Identity, it goes and does all the stuff to check the identity.
I suspect that much of this work is done. I think the plan is receive an
identity, send an options to the plan in the Info headers, this will form a
TLS connection, the TLS transport will stuff this cert into the Security
domain cert store. then the DUM can use this cert to check the Identity
signature and populate the result structure which gets passed up to the
applications. Need to test:
1) the message has been tampered with and hash has changed
2) the signature is wrong
3) can't fetch the cert
4) already have the cert in store, don't need to do options
5) everything goes fine
6) get a timeout trying to fetch the cert

Certs Store. Need to get this up and running. I think it compiles but does
not run yet. Need to test we can:
1) retrieve a cert that is on disk
2) retrieve a credential that is on disk
3) generate new credentials if none exist
4) accept a publish of a new credential
5) have publish cause notifies on existing subscriptions to certs and
credentials
6) have cert store add Identity headers to stuff it sends
7) have cert store be able to check Identity headers on publish or subscribe
to credentials 

DUM Encryption - Need API to indicate that whish to send message encrypted.
Need to add stuff to go and fetch cert from cert store if it is not cached
locally. Need to check Identity header of incoming result and add to local
cache. 

DUM Signing - API to say sign, go fetch certs of incoming messages and check
signature.

Prev by Date: [reSIProcate] Porting limpc to DUM
Next by Date: Re: [reSIProcate] Anyone developing on Solaris?
Previous by thread: [reSIProcate] Porting limpc to DUM
Next by thread: [reSIProcate] Header Template class
Index(es):
- Date
- Thread