Foros GNU/Buanzo

[buanzo]

It was about time I released a new version. But not only that.... you deserve something more

For those of you who do not know Enigform, it's a set of OpenPGP-based features for HTTP. Digital Signing of HTTP Requests, Secure Session Management, etc

Apache Mod_OpenPGP 0.5.0
http://freshmeat.net/projects/mod_openp ... ses/296137

Firefox Enigform 0.8.2.8
https://addons.mozilla.org/en-US/firefox/addon/4531

Wordpress Enigform Authentication Plugin 1.2.1
http://wordpress.org/extend/plugins/wp- ... ntication/

Enigform: The Definitive Guide
http://wiki.buanzo.org/index.php?n=Main ... entication

Enigform and GNU Privacy Guard on Windows
http://wiki.buanzo.org/index.php?n=Main ... stallation

OWASP: Summer of Code 2008 - Enigform
https://www.owasp.org/index.php/Categor ... od_openpgp

Hope you Enjoy this

[dkg]

Thanks for all the good work, Buanzo! I've been trying to read up on the details of enigform, and in particular, i was hoping to review the proposed RFC. I found several links to what appears to be a placeholder page, but no copy of the RFC to read and/or comment on.

(btw, i'm on ietf-openpgp these days, but i unfortunately joined that list too late to participate in the initial discussion of your brainchild -- sorry to have missed it!)

Also: i've been talking some with the FireGPG folks about gpgAuth (which, aiui, is now deprecated in favor of Enigform-style processing), and i'm a little bit surprised to find that you and the FireGPG devs aren't in active communication. It seems like there are enough points in common that it would be good to at least share plans or something.

the_glu seems to be pretty active in responding to posts on http://forum.getfiregpg.org, so maybe he'd be up for a conversation about how to collaborate.

[buanzo]

Hi dkg! Thanks a lot for your feedback.

Kyle Huff, the original implementator of gpgAuth, is here on my pidgin Buddy list. I know for a fact that he's quite busy (he became a parent a little while ago). I didn't still contact the FireGPG guys (Oh boy, I love it!).

Why, you might ask? Simple: you ask for the RFC. The RFC is non existant now. I had a quite nice draft, which I dismissed in favor of more active 'hands on' research. I never mentioned this publicly, but the amount of research and issues I found while coding for Apache and Mozilla led me to first consider a working 'reference implementation', then write an RFC when I finally reach a certain level of functionality. Also, as Enigform is developed in the arms of OWASP (www.owasp.org, the Open Web Application Security Project) I have a big bunch of people behind me, finding bugs and protocol issues, doing security testing, etc.

This first Beta release, along with the Wordpress plugin, is the first REAL step to get community feedback.

I want, of course, to be in touch with FireGPG, Enigmail (BTW, the name Enigform is an obvious tribute to Enigmail), GnuPG (Werner Koch is actually quite up-to-date with Enigform). But the truth is that I'd be ashamed right now. I'm working on improving the code, protocol, and everything, but I don't feel up to the level of those guys

BTW, I've updated the first post of this thread, I've added an Enigform + gpg4win installation guide, with all needed steps (gpg4win installation, keypair creation, public key sending to keyserver, enigform install and test).

Yours,

[dkg]

Hi Buanzo--

Thanks for the feedback. I can understand not feeling ready, but enigform is out and published already -- people are downloading it and using it! Having a published spec (even if it just represents the currently accepted best practice) is useful for interoperability as well as for security audits to help make sure you're on the right track.

I looked around at the OWASP page for this project, but still couldn't find anything that resembles a specification of what exactly is happening. I can read the source, of course, but i'd like to understand what the goals and procedures of the protocol are, as opposed to what the current code implements at a byte-for-byte level.

At any rate, reviewing the protocol specification is a different task than reviewing an implementation, no? Would you be up for sending me a draft of what you're working on, even if you want to keep it under wraps at the moment? I'm really interested in seeing OpenPGP be more widely useful to more people, but i want to make sure that the protocols themselves are secure (and to help secure them if they're not)!

[buanzo]

dkg,

Sure, I can do that. Shoot me an email and we'll start to work on it.

Also, I reviewed all your concerns on gpgAuth. For instance, http replay-attacks ARE taken into consideration. I know a signed http request can be replayed... but one that belongs to a current session is not so easily replayable, either. Also, the secure session initiation protocol (BARELY mentioned here... http://wiki.buanzo.org/index.php?n=ModO ... nformation ) signs responses during the challenge-response mechanism. I still have to enhance this. I'm working on implementing the ability to import a server's public key as published according to the 'CERT' DNS Resource Record (RFC 4398 by Simon Josefsson, http://josefsson.org/rfc2538bis/rfc4398.txt). But, you know, the Mozilla api does not have a nice DNS library... just one to get A records

SO, well, yes, I think we can work together. I find some of your other attack scenarios quite interesting, and I'd like to continue this off-forum for the time being.

Yours,