AltME groups: search

Well, what I would like to see is the ability to have one file per 
table, without artificial limits like having to attach databases, 
to some artificial number of 9, or what was the limit. Second - SQLite 
4 to have encryption storage option ....

New Android release:

URL		: http://development.saphirion.com/experimental/

Direct URL	: http://development.saphirion.com/experimental/r3-droid.apk

Changes:
-added DH and AES 128/256 encryption
-rewritten console syncing code
-TLS scheme improvements
-fixed runtime stack size issue
-fixed FP math using dtoa()  (thanks to Ladislav!)
-fixed shared lib unloading issue
-fixed "exit on script error" bug
-minor app handling tweaks

Please give it a try and have fun.

I have the SDK (full encryption strength) and I've been playing with 
the rijndael encryption algorithm. I cut and pasted the code below 
from http://www.rebol.com/how-to/encrypt.htmland it produces 256 
as the port strength despite the strength being stated as 512. Is 
it 256 or 512? The web page says Rebol can provide 512 with rijndael. 
Can it?

port: open [
    scheme: 'crypt
    direction: 'encrypt
    key: akey
    strength: 512
    algorithm: 'rijndael
    padding: true
]
print port/strength


When I switch the algorithm to blowfish I get the expected 512 port 
strength. Is blowfish actually 512?

I need to know what level of encryption I am working with. TIA.

The final paragraph of the section titled the algorithm in the wikipedia 
enttyr for Blowfish explains that it is possible to implekment the 
algorithm with keys of up to 576 bits long but not advised by the 
author of the algorithm. Though when I was using REBOL for some testing, 
I set the strength to 448. 


I would have thought that AES 256 would suffice for for most purposes 
needing symmetrical encryption

providing an optional output buffer  (which the user can pre-allocate 
to some ideal size)  would make a VERY big difference on large inputs.


usually, when it goes into the hundreds of thousands, repetitive 
series re-allocation on growing mutable series,  will kill any kind 
of optimisation you can dream of. 


rle: func [s [series!]   /into out  [block!]  /local out emit pos1 
pos2 cont][
	out: any [ out     make block! 2 ]
 ...
]


this is especially effective on repetitive calls to the above function 
and using clear on the given buffer so that it auto-grows to an optimal 
size and is fast on later calls.


just today, I was doing some encryption benchmarking and when I hit 
strings larger than 1MB it was taking several minutes... thats until 
I realized that it was my dataset generator (a looped string insert) 
which was taking 98% of the cpu time.  !

Pipes usually refer to network connections. The encryption that is 
usually employed there (SSL) is missing from many REBOL versions

AltME is secure for partly different reasons. We are told it employs 
encryption over the network, but we can't check that, because it's 
closed source

Thanks BrianH. I am aware of the need to "keep your untrustworthy 
data that you can't safely DO separate from that code."


I am creating a small Rebol server capable of communicating with 
clients, using RSA key exchange and the blowfish algorithm, both 
of which work to reasonably high encryption levels in Rebol, 4096 
for RSA and 512 for Blowfish (yes I know the effective upper limit 
for Blowfish is 448 bits, but that is good enough for my purposes).


I want to save the RSA key as a block so it can be loaded back into 
the program and used again, hence my question. It will be encrypted, 
wherever it gets saved, so there will be no chance of it being messed 
with.


Actually, I am writing a much simpler version of Rebol Services, 
since I could not get that to work and my ability to code in Rebol 
was not sufficiently developed yet to see how to get it working.


I am in a steep learning curve right now with Rebol and the time 
I am investing is starting to pay off. Thanks for the information 
about keeping code and data separate. It's always good to be reminded 
of 'obvious' truths.

If you want encryption, use pops or spop

So I have a question about RSA encryption. When I run the following 
code:

  rsa-key: rsa-make-key
  rsa-generate-key rsa-key 1024 3

  crypt-key: copy/part checksum/secure mold now/precise 16
  print crypt-key

  crypt-key: rsa-encrypt rsa-key crypt-key
  print crypt-key

  crypt-key: rsa-encrypt/private/decrypt rsa-key crypt-key
  print crypt-key


it runs perfectly, encrypts the crypt-key and then decrypts it sucessfully.


As you probably know, the purpose of the RSA algorithm is to allow 
someone else to encrypt data that only you can decrypt using your 
private key. I tried this with a different public key using the following 
code:

  rsa-key1: rsa-make-key
  rsa-generate-key rsa-key1 1024 3

  rsa-key2: rsa-make-key
  rsa-key2/n: rsa-key1/n

  crypt-key: copy/part checksum/secure mold now/precise 16
  print crypt-key

  crypt-key: rsa-encrypt rsa-key2 crypt-key
  print crypt-key

  crypt-key: rsa-encrypt/private/decrypt rsa-key2 crypt-key
  print crypt-key


So I put the public key from rsa-key1 into another object, rsa-key2 
and tried using it to encrypt the data and get the following error.

	#{DD44AC1810E9A7020FAD72A7CFA54100}
	Segmentation fault


How do I get the public key from the first object into the second 
object so that it can be used to encrypt data?

When R3 was open sourced, I presume the SDK was not also open sourced? 
I am looking for the 'C' source code for the RSA, AES and Blowfish 
encryption functions.

I simply wrote the TLS scheme :-) I've also added the neccessary 
crypto algorithms at the native level (only RSA with ARC4 cipher 
suite is supported at the moment).

IMO this solution gives us much better flexibility: the encryption 
code is native(fast) and the TLS protocol logic is in REBOL so it 
is possibel to enhance it much more easily.

One more note: AFAIK the current version of TLS + the encryption 
support increased the binary only by ~10KB which is also cool. I 
have no clue how much could take adding the rest of missing algorithms 
though.

Well, I suppose since ALTME is encrypted they would have to release 
the encryption specifics so it may never be done

encryption and authentication/authorization.

rugby uses 1024 bits encryption

used to say that that would take 3,000,000 years to crack ... but 
now they say governments can do it.  should switch to 2048 bits for 
espionage level encryption.

Would you really want a non-native GUI, with every call to / from 
it going via slow [in relative terms] routine! APIs?


I agree that having one *huge* exe that does 100% of what *everyone* 
wants but only has 20% of it's functionality used by the average 
coder is a bad thing. The problem is defining what constitutes huge 
and what functionality is needed by most coders. Here are some typical 
components:

	Graphics
	Sound
	Networking
	Maths
	Encryption
	Data storage
	Installer
	Registry access
	Library access


Which should be built-in? Which should be loadable modules? Is your 
preference going to be the same as mine? These are not easy design 
questions.

I meant links to the docs (Library docs, Sound docs, call docs, encryption 
docs)

it looks to me, that the initial-vector is not taken into account 
by the encryption ports?

I have to encrypt some rather large files .. many megabytes.  Is 
there an encryption port that will do this in Rebol?  Or does encryption 
require that the whole file be in memory?

I don't think encryption changes the file-length, so you could just 
choose a large chunk size and encrypt those separately.

http://www.rebol.com/docs/encryption.html#section-3.1"It is possible 
to copy from the port before all data has been written"

I don't know exactly, but I remember reading that its not a real 
encryption system.

Encloak  -- http://www.rebol.net/cookbook/recipes/0023.html-- Carl 
says


Newer versions of REBOL include "cloaking" functions for encrypting 
and decrypting strings. These functions do not provide full strength 
encryption such as Blowfish, AES, or RSA as found in REBOL/Command, 
nevertheless they can be useful for hiding passwords and other values. 
(That's why we call it cloaking rather than encrypting.)

There are things stronger than encloak in the Library

http://www.rebol.org/cgi-bin/cgiwrap/rebol/search.r?find=encryption

I have a 24 bit math implementation to do RSA  but never converted 
to or from other bases. It is from before Holgar did  encryption 
with thebignum library  nativly in  core/view which renders mine 
moot

anyone know of a way to get a persistent value based on someone's 
computer... the longer the string the better... (on windows)

this is with a /command license, so any accessible rebol feature 
is usable.

something like:
    -System install serial number
    -Disk serial number
    -CPU id


I want to generate an encryption key which isn't stored as part of 
the code.  It just makes it a bit more complicated to reverse engineer 
the stored password if the encryption key is different for all installations.

the idea is for the encryption key to a stored password is created 
dynamically via an algorythm.  
If the software is encapped, then its a pretty safe system IMHO.


But if the software stays open source (and interpreted), at least 
I can use some natives for which the key-gen algorythm is hard to 
reverse engineer.

Although someone with rebol know-how can obviously get the passwd 
by running the algorythm manually, there is no way around this AFAIK.

If you think that keeping the algorithm secret increases the security 
of your encryption then you should not be writing an encryption algorithm. 
it's that simple. :)

I'll use real encryption (using command)

using real encryption does not make any difference... but anyway.

Basically I am writing to ask something ... I am newbie at writing 
rebol bindings. This binding if it works it works but if almost anything 
goes wrong it simply crashes. For example missing some file, not 
going into TEXT mode , not oppening closing something, page reference 
insted of pdf doc reference given to some function in binding .. 
pdf that we intend to write being locked (alredy open in acrobat)... 
ETC ... 


I intend to write this robust now, so I am asking how is this usually 
done? I can check for preconditions before talking to binding at 
runtime in rebol. Another (better) option is that binding shouldn't 
just crash for anything that goes wrong. I saw in docs something 
about error messages as return, so maybe I am doing something wrong 
in the first place , for example not implementing or setting up some 
callback for errors... Anyone more experienced than me? Rebol Haru 
could be quite capable otherwise, it supports all things that are 
really messy to do in PDF (encodings, embedding fonts, images, encryption, 
graphics, ...).

One thing is that I can check for these preconditions at runtime,

encryption contest? ;)

Hello, everyone... Ii am using encryption in Rebol/SDK, and I would 
like to store the actual binary value returned from the port as a 
string... not the to-string value, but the binary value... for example, 
if I get back #{455121D505CD240595E530589ADCD7787F22EF9DE899D6D8} 
from the port, I would like to store 455121D505CD240595E530589ADCD7787F22EF9DE899D6D8 
as a string in a file... does anyone know if this is possible?

this is a serious flaw in R2... if you want to store encryption keys 
within an application and want to provide some sort of plugin interface, 
you are pretty much fucked... people can rip your application appart, 
and there is nothing you can do about it...


a part creating a dialect, which is complicated as hell if you want 
to provide do-like syntax.

Tim: MySQL 4.1 uses a new encryption method for user passwords, try 
add a new user assigning the password with the function OLD_PASSWORD('pass') 
rather than PASSWORD('pass'), and attempt   open mysql:// ... etc. 
 with the new user. Hope this helps.

I am not talking about encryption, just looking into 'checsum function 
help ... I just need hash ...

With v3.x.y servers, there's still sometimes connections errors 1045 
that shouldn't happen. I guess that's related to some encryption 
implementation difference between my client and v3 servers. Workaround 
for this, is catching error! values when connecting and retrying 
the connection if the user/pass is fixed and should be able to connect 
to the server (proper right set in 'mysql' tables).

so it's simply a different encryption scheme for some reason

At least, the whole networking support needs probably to be fully 
rewritten for R3. Beyond that I'm not sure what you work or not out 
of the box with R3. String encoding and Unicode might require some 
additional code. MD5 support is also required btw, if you want to 
use passwords with 4.1+ MySQL servers (for 3.x support, you would 
need to rewrite the whole current driver encryption code).

If I wrote some fanstastic treatise in French .. you would complain 
about the encryption method.

All SDKs have shell, library and encryption. Command adds ODBC/Oracle 
and SSL (client side)

I have sshd running on my Kubuntu, and when I fish: across to it 
from another kubuntu box on the local network, it takes a long time 
to connect. Today I counted 45 seconds before authentication dialog 
popped up. I think I remember reading something about a delay for 
encryption etc. but I'm wondering if that's a "normal" length of 
time to wait.

Is Altme communicating on plain TCP/IP protocol? Does Altme use encryption 
in any way? SSL?

Altme uses encryption but not ssl

Seems like SSL Tunnelling with squid is on by default on certain 
ports using the CONNECT method:

http://www.squid-cache.org/mail-archive/squid-users/200210/0295.html

Our customer was monitoring the trafik and could see, that nothing 
happened after the CONNECT, so maybe the problem is, that REBOL doesn't 
continue after the CONNECT!? As I understand it, the CONNECT method 
is used to establish a connection between the two computers (client 
and server), and then the proxy simple let the communication continue 
without touching it (allowing SSL encryption and the like). REBOL 
can make the connection, but fail to communicate afterwards. (My 
guess.)

It's interesting, that Altme works using encryption too!? Is the 
CONNECT method in use in this situation?

an encryption tool? I think not ... IMO altme is built upon SSL capability 
of Rebol/Command SDK or even Rebol/Pro? Dunno ...

Pekr: Graham was just saying, that "Altme uses encryption but not 
ssl"

see http://www.rebol.com/docs/encryption.html

The chapter also includes a really enthusiastic introduction to IOS 
and details of the data encryption features in Rebol/Command.

not sure, not tried yet, but good suggestion ... so what is the difference 
then? Encryption, odbc?

Command adds encryption, ODBC, Oracle, (slower native) MySQL, and 
SSL.

isn't encryption part of /pro too?

Command seems to have an "Encryption Level 2" though, which I would 
guess is better.

(I think Pro suffices anyway though. It has encryption and FastCGI 
on board)

But with the xpacker you don't protect the code as with encap. Encap 
is using encryption. the packer just decompress the files to temp 
dir and runs a command. So while the program is runing, you can see 
the files.

Folks, I'd like to use encryption, to encrypt some json records and 
deploy it to the browser and decrypt it using this algorithm at  
http://www.fourmilab.ch/javascrypt/javascrypt.html

I'd like to encrypt json text using Rebol and AES encryption. And 
decrypt this using javascript. Do you have any idea how to do this 
using Rebol. I mean the AES encryption. I mean : txt: "blablablba" 
 key: #CEDEFF.. encrypt  txt key   ...  using AES rhinjael algorithm 
.. thanks

rondon,

you have to check that the choosen encryption scheme is compatible 
on both sides. at least SHA-1 / MD5 should work.

here you have some javasript routines:
	http://www.movable-type.co.uk/scripts/sha1.html
	http://pajhome.org.uk/crypt/md5/index.html

howto rebol:
http://www.rebol.com/docs/words/wchecksum.html


just send some test data and adjust the encryption scheme at the 
javasript side.

with luck, the rebol implementation is suitable for the routines 
above.

Rondon, Rebol encryption is well described in this secure document 
http://www.rebol.com/how-to/encrypt.html#section-15

I tried to do AES encryption but anything I encypted was not de-crpytable 
by standard tools

TomBon: hashing and encryption are not the same thing.

crypt: func [
    "Encrypts or decrypts data and returns the result."
    data [any-string!] "Data to encrypt or decrypt"
    akey [binary!] "The encryption key"
    /decrypt "Decrypt the data"
    /binary "Produce binary decryption result."
    /local port
][
    port: open [
        scheme: 'crypt
        direction: pick [encrypt decrypt] not decrypt
        key: akey
        padding: true
    ]
    insert port data
    update port
    data: copy port
    close port
    if all [decrypt not binary] [data: to-string data]
    data
]

REBOL [
Title: "ARCFOUR and CipherSaber"
Date: 17-Jan-2004
File: %arcfour.r
Author: "Cal Dixon"

Purpose: {Provides encryption and decryption using the ARCFOUR algorithm}

Note: {this implementation can decrypt data at about 40KB/s on my 
1Ghz AMD Duron system with Rebol/View 1.2.10.3.1}
Library: [
level: 'advanced
platform: 'all
type: [function module protocol]
domain: [encryption scheme]
tested-under: [view 1.2.10.3.1 on [W2K] by "Cal"]
license: 'PD
support: none
]
]


;ARCFOUR specification: http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt

;CipherSabre specification: http://ciphersaber.gurus.com/faq.html#getrc4


arcfour-short: func [key [string! binary!] stream [binary! string!] 
/mix n /local state i j output swap addmod sz][

swap: func [a b s /local][ local: sz s a poke s a + 1 to-char sz 
s b poke s b + 1 to-char local ]
addmod: func [ a b ][ a + b // 256 ]
sz: func [ s a ][ pick s a + 1 ]

state: make binary! 256 repeat var 256 [ insert tail state to-char 
var - 1 ]

j: 0 loop any [ n 1 ] [ i: 0 loop 256 [ swap i j: addmod j add sz 
state i sz key i // length? key state i: i + 1] ]
i: j: 0 output: make binary! length? stream
repeat byte stream [
swap i: addmod i 1 j: addmod j sz state i state

insert tail output to-char xor~ byte to-char sz state addmod (sz 
state i) (sz state j)
]
clear state
return output
] 

make root-protocol [
addmod: addmod: func [ a b ][ a + b // 256 ]
sz: func [ s a ][ pick s a + 1 ]

swap: func [a b s /local][ local: sz s a poke s a + 1 to-char sz 
s b poke s b + 1 to-char local ]
ins: get in system/words 'insert
i: 0 j: 0
open: func [port][
port/state/tail: 2000
port/state/index: 0
port/state/flags: port/state/flags or port-flags

port/locals: context [ inbuffer: make binary! 40000 state: make binary! 
256]
use [key n i j] [
key: port/key
n: port/strength
repeat var 256 [ ins tail port/locals/state to-char var - 1 ]
j: 0 loop any [ n 1 ] [
i: 0 loop 256 [

swap i j: addmod j add sz port/locals/state i sz key i // length? 
key port/locals/state i: i + 1
]
]
]
i: j: 0
]
insert: func [port data][
system/words/insert tail port/locals/inbuffer data do []
]
copy: func [port /local output][
output: make binary! local: length? port/locals/inbuffer
loop local [

swap i: addmod i 1 j: addmod j sz port/locals/state i port/locals/state

ins tail output to-char sz port/locals/state addmod (sz port/locals/state 
i) (sz port/locals/state j)
]
local: xor~ output port/locals/inbuffer
clear port/locals/inbuffer
local
]

close: func [port][ clear port/locals/inbuffer clear port/locals/state 
clear port/url clear port/key]
port-flags: system/standard/port-flags/pass-thru
net-utils/net-install arcfour self 0
]

arcfour: func [key stream /mix n /local port][
port: open compose [scheme: 'arcfour key: (key) strength: (n)]
insert port stream
local: copy port
close port
return local
]


; CipherSaber is an ARCFOUR stream prepended with 10 bytes of random 
key data
ciphersaber: func [ key stream /v2 n ][

arcfour/mix join key copy/part stream 10 skip stream 10 either v2 
[ any [ n 42 ] ][ 1 ]
]

Graham: I was able to implement TLS1.0 protocol configured to use 
the TLS_RSA_WITH_RC4_128_SHA cipher-suite. All the mentioned algorithms 
were calculated using the  build-in Rebol2 encryption functionality. 
I had no problems regarding the compatibility. I haven't tried the 
cipher-suite with the AES enctryption though but my guess it will 
work as well.

Doc: the code is in sort of "prototype state" and It was meant as 
possible implementation for R3 in future (once Carl put the encryption 
algorithms codebase into the R3/host-kit or someone write an extension 
for that).

I wrote it because I wanted to know if we could get rid of unnecesary 
C code that is currently in R2 to just handle the protocol logic 
while the performance of the crypto algorithms will remain in C. 
The current size is less than 20Kb of Rebol script code so IMO it 
could be useful and also easier maintainable way.

Currently it works in client-side mode only but there is already 
support for ASN.1 certificates also I tried to write the code so 
the server-side mode and other cipher-suites shouldn't be hard to 
add.

I plan to release the prototype to open public after some cleanup 
but if you want to waste some time with the current 'raw stuff' just 
post me privately and I'll send you a copy.

yes, zip:// scheme - would be usefull, along with encryption :-)

Is there any progress on encryption with Uniserve protocols ?

Encryption methods are application-depend, it's hard to built-in 
Uniserve's kernel a general purpose encryption for communication 
that'll fit well any case...The kernel have to remain general purpose. 
But it may provides some helping features to allow easier encryption 
integration. Do you have some design ideas how the kernel should 
help integrating encryption ?

I think the problem I had is that uniserve either uses a terminating 
sequence, or a preset number of bytes.  If the size of each "packet" 
changes with encryption, how does one cope with that?

I've added a new event : 'on-write-chunk to allow modification of 
the chunks of big files just before they are sent. This can be the 
hook to implement compression or encryption when sending big files.

About server-side SSL : after several beers last year in Paris, Carl 
told me that the ssl:// scheme could be turn to work as server-side 
with just the right flag set (IIRC, was about setting the right "direction" 
in encryption), then you "just" have to implement server-side HTTPS 
protocol to support it fully. I've since that, tryed several times 
to get the info about the "magic flag" from Carl, without success. 
So I've prepared several dozens bottles of beer to be sure to get 
the info from him at the next DevCon ;-).

Their LNS implementation uses BEER for authentication, encryption, 
and transport.

BEER does channelling in one single connection. if you don't need 
that, there's no advantage in using it vs. plain tcp. lns is doing 
its own auth/encryption and so on anyway.

I mentioned certificates for two reasons here. 1) IIRC Holger (or 
someone from RT, do not remember right now) said, that internally 
Rebol has some parser for that, but the API for that is not exposed 
2) it seems to me, that there might be some parts of the world, where 
encryption is enough, and there is nothing bad with such opinion, 
in regards to such countries ...

Q about encryiption within rebservices: my *guess* is if you are 
using core or view, then rebservices can' t use rsa encryption method 
but must use encloack/decloack method. And there is no plans to upgrade 
for rsa support in the next releases of  core and view . I'm rigth?

About the Email.. I think they dont understand where email is going.. 
If they would have build an email client that would support encryption 
or packaging from text to grafics they would be on the route to the 
future.. For..re-inventing the wheel with lots of bells and advertising.. 
(yes im a little anti java and .net internet applications currently 
;-) Ever stranger...NET is dead and also is Java..still many use 
it.. i dont get it..

Yes on both counts. Really depends on what kind of data needs to 
be encrypted; if it's passwords and personal information that is 
indirectly referenced (i.e. on / by other key column(s) ) then client-side 
encryption makes sense.

IMO encryption should be on a lower level, on the file level. I don't 
want to care about using encryption in my application, I just want 
to set a flag that the database file gets encrypted.

WRT encryption. I found one implementation (you need to buy a license) 
that supports transparent encryption. IIRC I posted the link some 
time ago. I will have a look at the C code and there at the storage 
stuff to see how hard it is to add an AES encryption of storage pages. 
IMO it can't be that hard.

Hi, I know that some talk of encryption was held here some time ago, 
but currently I was asked to eventually protect sqlite data and I 
am not sure what is correct aproach. I would not go DB-as-a-file 
encryption, then "unpacking" into memory, or so. I prefer app level 
encryption, but I am not sure about searches, using LIKE directive. 
Would it work?

the proper encryption would have to come at lower db level, namely 
- storage level ....

Performance will be about 50% without encryption for the SQLite extension. 
But I don't think that it's that much. Reading/writing to disk is 
a lot slower compared to execution speed of processors. So, I expect 
about 25% performance loss.

well, but at some point, you open-up that partition in order to be 
able to access it. The security is not there anymore. What I would 
like to have is direct SQLite low-level encryption, so that file 
might be visible to FS, but still encrypted. And your app provides 
password or something like that ... IIRC BrianH is using some such 
solution, I just don't remember its name.

IIRC encryption costs $2000

SQLIte is fast for simple to middle local stuff. I have few obstacles 
with it 


1) it stores everything in one file. You can't use simplicity of 
file-system for simple back-up purposes. Attaching DBs (max 10 precompiled 
value) is not an option, as then transactions are not atomic

2) it is not secure - can't be secured easily, because encryption 
is not part of the package

3) serverless (both advantage = no install, but also disadvantage). 
It provides locking. They claim multiple instances of app can access 
one file, but I did not find more info on that. Dunno how granular 
locking you can do. You have to create server front-end yourself 
...

R3 does not have encryption modules yet, they will probably come 
later. but notice that nobody stops people from linking to OpenSSL 
and provide a complete SSL solution.

Services requires encryption so you can bet release version of R3 
will have it.

SSL is specific protocol. I am not speaking about encryption here, 
but about the trust, that is what certificates are for. IIRC the 
api for them is inside, it was not just exposed. And IIRC2, Ladislav 
once mentioned he will do it? But I could misunderstood him ...

signatures - rebol has that built in. is called rsa encryption

We'll need access to Berkeley DB too, (if the Grid stays in the current 
shape it is) so a good reason to link to libdb for RIF.


For LDAP, I think the protocol should be in a REBOL scheme.  But 
as stated, it's not a small task.


And for the Grid, we'll need certificate handlers, and encryption 
ports will work nicely for that.  With those three pieces, I think 
we'd be ready to introduce ourselves to the CERN LCG and VDT people 
 (Assuming they didn't shoot down the idea off hand due to not Open 
Source)  In which case we'd have to live outside the inner grid and 
float about the consumer grid.  No science apps would need apply, 
but the consumer grid could be a lucrative next step.  Maybe.

Some info from Carl from the past:


The DLL access is very complicated code that is specific to every 
CPU and OS.The DLL access is very complicated code that is specific 
to every CPU and OS.

The problem with plugin is not the code itself, but the security 
of it.

If we can set security aside for a while, we can certainly have the 
method for it.
I think it is probably ok for 3.0 to make this statement:

If you want to use plugins, you can -- but, you will want to only 
use those from trusted sources. Do not execute unknown plugins from 
the web.

the complex part of the security model is some method of digital 
signing.

We could use a simple hash method, but the problem is with public/private 
certification.

What makes it complicated is that we must port the R2 encryption 
code to R3.
That project could take a few weeks.

A way to add higher order encryption

Graham: okay. that's the whole licensing/encryption/pro features/etc. 
issue right?

Here's a few components of Trusted Scripts (this is only a draft 
-- open for feedback):
	* Default security model is tight -- how tight is TBD.

 * Developers that want to take advantage of Trusted Scripts, i.e. 
 to lower security for a production app, first must buy a license.key 
 from RT.

 * license.key unlocks  "features" and "permissions". Features are 
 things like encryption within the script. Permissions include file 
 sandbox, domain restrictions, dll loading permissions, etc.

 * license.key will contain contact info, so we can track down the 
 author of a malicious signed script if necessary.

using encryption if you have those options in your license.

My working login.rsp script ...

<%
		in-user: select request/content 'login
		in-pass: select request/content 'pass
		encoding-salt: to-binary "My encryption string"


  print [ <p/> "Login is: " in-user " and pass is " in-pass <p/> ]
				
		encode-pass: func [
			pass [string!]
			salt [binary!]
		] [
			checksum/secure append to binary! pass salt
		]

		
		if all [ in-user in-pass ][
			print <pre>


   qry: rejoin [ {select staffname, sid, fullname from staff where staffname 
   = '} in-user {' and pwd = '} form encode-pass in-pass encoding-salt 
   {'} ]

			probe qry
			print </p>
			
			sql: do-sql 'remr qry 
			print [ "Query result: " sql ]
			print </pre>	
			if found? sql/1 [
				response/redirect "/testapp/"
			]
		]
%>

Encryption: I meant this to use for normal cookies.