[phpxmlrpc] [Fwd: xmlrpc signing]

Justin R. Miller incanus@codesorcery.net
Tue, 29 Oct 2002 08:29:40 -0500

Hash: SHA1

Apologies if this should be kept on the -devel list.  Feel free to
correct followups.  And I believe that Andres is on at least the -devel

I was just curious what advantage (besides the obvious encryption
strength improvement) PGP/GnuPG support in these XML-RPC bindings has
over the HTTPS/cURL-based certificate support that myself and Garrett
Rooney added.  

I suppose that with PGP you've got a certification as to the
authenticity of the client, and not just the security of the protocol
and authrorization to exchange.  But it seems like this might be pretty
hackish to get into HTTP.  

Then again, you guys at Voxel could be up to anything ;-)

(BTW, Hi Andres!)

Said Edd Dumbill on Tue, Oct 29, 2002 at 07:48:00AM +0000:

> Any comments?  Please be sure to CC Andres.
> -----Forwarded Message-----
> From: Andres Salomon <dilinger@voxel.net>
> To: edd@usefulinc.com
> Subject: xmlrpc signing
> Date: 29 Oct 2002 02:41:38 -0500
> I'm attempting to add key signing to your xmlrpc library (I'll feed
> changes back upstream once I'm done).  Once an xmlrpcmsg is about to be
> sent, it is serialized, a private key is used to generate a signature of
> the serialized data, and both are sent to the xmlrpc server.  The server
> uses the client's public key to verify that the msg came from the actual
> client; if verification is sucessful, decode the xmlrpcmsg as normal.
> My hang-up is how to send the payload signature.  The way I'd prefer to do it
> is a simple form variable; the XMLRPC spec states that the xmlrpc
> message is the body of a HTTP-POST request, so I figure that leaves
> HTTP-GET available for (ab)use.  I'd like to do this in a manner that
> works with other xmlrpc implementations (if not supporting the
> verification, silently ignoring the signature).
> Have you heard of any other implementations that allow this, or similar
> workarounds (perhaps passing the signature elsewhere)?  Do you have any
> suggestions?
> -- 
> It's not denial.  I'm just selective about the reality I accept.
> 	-- Bill Watterson

- -- 
[!] Justin R. Miller <incanus@codesorcery.net>
    Encrypted email preferred (key 0xC9C40C31)

Version: GnuPG v1.2.1 (FreeBSD)