rebol and electronic-signature ...
[1/8] from: petr:krenzelok:trz:cz at: 30-Apr-2003 14:32
Hi, simple question - for e-business automation purposes, our law allows to replace paper invoices by electronically delivered once, but such data has to be electronically signed (hopefully not encrypted). So I would like to ask, if Rebol/Command is able to somehow investigate the certificate, check it and to send electronically signed documents. I am not sure I understand the issue correctly, but am I correct that electronic signature is "just" public key file attached to the end of the email? ------51B1DBAF31BBD047B55567250918B934 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIWIgYJKoZIhvcNAQcCoIIWEzCCFg8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCFAYwggPkMIIDTaADAgECAgphClXfAAAAAAGaMA0GCSqGSIb3DQEBBQUA MHsxITAfBgkqhkiG9w0BCQEWEmFkbWluQGNhY3plY2hpYS5jejELMAkGA1UEBhMC VVMxDTALBgNVBAcTBEJybm8xJTAjBgNVBAoTHENldGlmaWthY25pIGF1dG9yaXRh IEN6ZWNoaWExEzARBgNVBAMTCkNBIEN6ZWNoaWEwHhcNMDMwMjI1MTI0MzM0Wh etc. But Rebol/Command docs state: Certificate handling is not supported. REBOL does check the validity of server certificates internally, but no mechanism exists to access the certificate chain from REBOL scripts, and client certificates cannot be defined. So I am somehow confused about the issue ... Any help appreciated, thanks a lot, -pekr-
[2/8] from: g:santilli:tiscalinet:it at: 30-Apr-2003 15:43
Hi Petr, On Wednesday, April 30, 2003, 2:32:36 PM, you wrote: PK> I am not sure I understand the issue correctly, but am I correct that PK> electronic signature is "just" public key file attached to the end of PK> the email? A signature is a hash of the document encrypted with the private key. PK> "Certificate handling is not supported. REBOL does check the validity of PK> server certificates internally, but no mechanism exists to access the PK> certificate chain from REBOL scripts, and client certificates cannot be PK> defined." By the wording, this seems to refer to SSL handling. Anyway, you'd have to handle certificates (i.e. parsing and generation) by yourself I think. Regards, Gabriele. -- Gabriele Santilli <[g--santilli--tiscalinet--it]> -- REBOL Programmer Amigan -- AGI L'Aquila -- REB: http://web.tiscali.it/rebol/index.r
[3/8] from: lmecir:mbox:vol:cz at: 30-Apr-2003 16:01
> simple question - for e-business automation purposes, our law allows to > replace paper invoices by electronically delivered once, but such data
<<quoted lines omitted: 4>>> electronic signature is "just" public key file attached to the end of > the email?
According to the czech law the electronic signature isn't "just" a public key file attached to the end of the email. To be recognized as an electronic signature, it has to be registered. Regards -Ladislav
[4/8] from: tserpa:earthlink at: 30-Apr-2003 10:00
Hi Petr, Although I'm not even close to an expert, I have recently been thinking quite a bit about how to implement this. First of all, Rebol has a great base in place for developing an e-signature tool. For comparison, take a look at how Adobe Acrobat does it and how complicated and expensive it is to use. There are a couple of server based systems that I know of, e.g. AlphaTrust, but they are very expensive (starting at $9000). I think a Rebol server-based digital signature tool could be developed rather easily and cheapily and could offer stiff competition to systems like AlphaTrust. Everything you need to know is in the Rebol encryption doc (certificates aren't really necessary - unless maybe you are trying to use 3rd party - like Verisign - ID's, but if you "trust" and know the people you are dealing with 3rd party ID's aren't necessary - you can use the keys that you generate with Rebol): http://www.rebol.com/docs/encryption.html These are the steps for a digital signature: Creation: 1. A message digest is created for the original document. 2. The message digest is then encrypted with the signer's private key. Verification: 1. The original message digest is decrypted using the signer's public key. 2. A second message digest of the original document is created. 3. The two message digests are compared. - If the two md's match, then the document has not been changed and the sig is valid. - If the values don't match, the data either changed (or is corrupt) or the public key does not match. After reading through the Rebol encryption doc, I think you will see that everything in this process is covered, and it is very easy to envision how all of this could be handled without any client based software (although a digital signature Reblet may be useful). I hope I didn't describe everything that you already know. Ted Serpa
[5/8] from: maarten:koopmans:surfnet:nl at: 30-Apr-2003 17:28
Which is possible, as REBOL supports all the encryption needed, but... most of that stuff is BER encoded (ASN.1) --Maarten Gabriele Santilli wrote:
[6/8] from: tofo:695online at: 30-Apr-2003 12:01
On Wed, Apr 30, 2003 at 05:28:35PM +0200, Maarten Koopmans wrote:
> Which is possible, as REBOL supports all the encryption needed, but... > most of that stuff is BER encoded (ASN.1) >
I don't suppose we can interact with pgp (public key servers, etc), can we? -- signature sneezing: "achoo!" -tom
[7/8] from: petr::krenzelok::trz::cz at: 30-Apr-2003 19:52
Ladislav Mecir wrote:
>Hi Pekr, >>simple question - for e-business automation purposes, our law allows to
<<quoted lines omitted: 9>>>> >According to the czech law the electronic signature isn't "just" a public key file attached to the end of the email. To be recognized as an electronic signature, it has to be registered.
yes .... I am now pressed for the time, so I haven't read all the answers properly yet, but it works as follows: - there is so called Certification Authority - independent, trusted party, which you ask for generating you a certificate - let's say your company wants to send me e-signed invoice - you tell me what CA you use, and I have to install their Certificate - you send me e-signed (beware - e-signed does not necessarily mena encrypted) stuff - I extract key from the message body and check against installed CA, if you are valid partner to deal with 1) here you can imput your e-mail adress, and CA Czechia will send you an example email - you can look at message source in your favourite mailer. In Mozilla and Outlook, you will find special icon, which will enable you to see certificate tree - http://www.caczechia.cz/ca/poslatmail.asp 2) and here you can see ROOT CA Czechia Certificate, CA Czechia certificate - http://www.caczechia.cz/ca/cacert.asp try following link - print read http://www.caczechia.cz/ca/caczechiaroot.cer and try to press it as a link from your browser - as you can probably see - browsers know how to parse it - you will be able to accept it and see its structure. I called Czechia Tech support and they told me OpenSSL was used + some OS services or so. Now the question is - if browsers know how to parse it into structure, why Command can't? Maybe that is exactly what Command docs note is about - it can handle certificates internally, but does not expose the info .... in such case though, Command misses one fine area of possible usage - apps for e-signed communication ... ... or am I still missing something? :-) Cheers, -pekr-
[8/8] from: maarten:koopmans:surfnet:nl at: 1-May-2003 7:34
Petr, You aren't missing anything. Right now the alternative is implementing this yourself using REBOL, which is easy once you get the encoding right. You'll need BER IIRC, which is also used in SNMP, which in turn has a demo script on rebolfrance.org... I have a remote interest in PKI, maybe I can find some time (but I promise nothing). --Maarten Petr Krenzelok wrote:
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted