rebol and electronic-signature ...
[1/8] from: petr:krenzelok:trz:cz at: 30-Apr-2003 14:32
Hi,
simple question - for e-business automation purposes, our law allows to
replace paper invoices by electronically delivered once, but such data
has to be electronically signed (hopefully not encrypted). So I would
like to ask, if Rebol/Command is able to somehow investigate the
certificate, check it and to send electronically signed documents.
I am not sure I understand the issue correctly, but am I correct that
electronic signature is "just" public key file attached to the end of
the email?
------51B1DBAF31BBD047B55567250918B934
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIWIgYJKoZIhvcNAQcCoIIWEzCCFg8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCFAYwggPkMIIDTaADAgECAgphClXfAAAAAAGaMA0GCSqGSIb3DQEBBQUA
MHsxITAfBgkqhkiG9w0BCQEWEmFkbWluQGNhY3plY2hpYS5jejELMAkGA1UEBhMC
VVMxDTALBgNVBAcTBEJybm8xJTAjBgNVBAoTHENldGlmaWthY25pIGF1dG9yaXRh
IEN6ZWNoaWExEzARBgNVBAMTCkNBIEN6ZWNoaWEwHhcNMDMwMjI1MTI0MzM0Wh
etc.
But Rebol/Command docs state:
Certificate handling is not supported. REBOL does check the validity of
server certificates internally, but no mechanism exists to access the
certificate chain from REBOL scripts, and client certificates cannot be
defined.
So I am somehow confused about the issue ...
Any help appreciated,
thanks a lot,
-pekr-
[2/8] from: g:santilli:tiscalinet:it at: 30-Apr-2003 15:43
Hi Petr,
On Wednesday, April 30, 2003, 2:32:36 PM, you wrote:
PK> I am not sure I understand the issue correctly, but am I correct that
PK> electronic signature is "just" public key file attached to the end of
PK> the email?
A signature is a hash of the document encrypted with the private key.
PK> "Certificate handling is not supported. REBOL does check the validity of
PK> server certificates internally, but no mechanism exists to access the
PK> certificate chain from REBOL scripts, and client certificates cannot be
PK> defined."
By the wording, this seems to refer to SSL handling.
Anyway, you'd have to handle certificates (i.e. parsing and
generation) by yourself I think.
Regards,
Gabriele.
--
Gabriele Santilli <[g--santilli--tiscalinet--it]> -- REBOL Programmer
Amigan -- AGI L'Aquila -- REB: http://web.tiscali.it/rebol/index.r
[3/8] from: lmecir:mbox:vol:cz at: 30-Apr-2003 16:01
Hi Pekr,
> simple question - for e-business automation purposes, our law allows to
> replace paper invoices by electronically delivered once, but such data
<<quoted lines omitted: 4>>
> electronic signature is "just" public key file attached to the end of
> the email?
According to the czech law the electronic signature isn't "just" a public key file attached
to the end of the email. To be recognized as an electronic signature, it has to be registered.
Regards
-Ladislav
[4/8] from: tserpa:earthlink at: 30-Apr-2003 10:00
Hi Petr,
Although I'm not even close to an expert, I have recently been thinking
quite a bit about how to implement this. First of all, Rebol has a great
base in place for developing an e-signature tool. For comparison, take a
look at how Adobe Acrobat does it and how complicated and expensive it is to
use. There are a couple of server based systems that I know of, e.g.
AlphaTrust, but they are very expensive (starting at $9000). I think a
Rebol server-based digital signature tool could be developed rather easily
and cheapily and could offer stiff competition to systems like AlphaTrust.
Everything you need to know is in the Rebol encryption doc (certificates
aren't really necessary - unless maybe you are trying to use 3rd party -
like Verisign - ID's, but if you "trust" and know the people you are dealing
with 3rd party ID's aren't necessary - you can use the keys that you
generate with Rebol):
http://www.rebol.com/docs/encryption.html
These are the steps for a digital signature:
Creation:
1. A message digest is created for the original document.
2. The message digest is then encrypted with the signer's private key.
Verification:
1. The original message digest is decrypted using the signer's public key.
2. A second message digest of the original document is created.
3. The two message digests are compared.
- If the two md's match, then the document has not been changed and the
sig is valid.
- If the values don't match, the data either changed (or is corrupt) or
the public key does not match.
After reading through the Rebol encryption doc, I think you will see that
everything in this process is covered, and it is very easy to envision how
all of this could be handled without any client based software (although a
digital signature Reblet may be useful).
I hope I didn't describe everything that you already know.
Ted Serpa
[5/8] from: maarten:koopmans:surfnet:nl at: 30-Apr-2003 17:28
Which is possible, as REBOL supports all the encryption needed, but...
most of that stuff is BER encoded (ASN.1)
--Maarten
Gabriele Santilli wrote:
[6/8] from: tofo:695online at: 30-Apr-2003 12:01
On Wed, Apr 30, 2003 at 05:28:35PM +0200, Maarten Koopmans wrote:
> Which is possible, as REBOL supports all the encryption needed, but...
> most of that stuff is BER encoded (ASN.1)
>
I don't suppose we can interact with pgp (public key servers, etc),
can we?
--
signature sneezing: "achoo!"
-tom
[7/8] from: petr::krenzelok::trz::cz at: 30-Apr-2003 19:52
Ladislav Mecir wrote:
>Hi Pekr,
>>simple question - for e-business automation purposes, our law allows to
<<quoted lines omitted: 9>>
>>
>According to the czech law the electronic signature isn't "just" a public key file attached
to the end of the email. To be recognized as an electronic signature, it has to be registered.
yes .... I am now pressed for the time, so I haven't read all the
answers properly yet, but it works as follows:
- there is so called Certification Authority - independent, trusted
party, which you ask for generating you a certificate
- let's say your company wants to send me e-signed invoice - you tell me
what CA you use, and I have to install their Certificate
- you send me e-signed (beware - e-signed does not necessarily mena
encrypted) stuff
- I extract key from the message body and check against installed CA, if
you are valid partner to deal with
1) here you can imput your e-mail adress, and CA Czechia will send you
an example email - you can look at message source in your favourite
mailer. In Mozilla and Outlook, you will find special icon, which will
enable you to see certificate tree -
http://www.caczechia.cz/ca/poslatmail.asp
2) and here you can see ROOT CA Czechia Certificate, CA Czechia
certificate - http://www.caczechia.cz/ca/cacert.asp
try following link -
print read http://www.caczechia.cz/ca/caczechiaroot.cer
and try to press it as a link from your browser - as you can probably
see - browsers know how to parse it - you will be able to accept it and
see its structure. I called Czechia Tech support and they told me
OpenSSL was used + some OS services or so. Now the question is - if
browsers know how to parse it into structure, why Command can't? Maybe
that is exactly what Command docs note is about - it can handle
certificates internally, but does not expose the info .... in such case
though, Command misses one fine area of possible usage - apps for
e-signed communication ...
... or am I still missing something? :-)
Cheers,
-pekr-
[8/8] from: maarten:koopmans:surfnet:nl at: 1-May-2003 7:34
Petr,
You aren't missing anything. Right now the alternative is implementing
this yourself using REBOL, which is easy once you get the encoding right.
You'll need BER IIRC, which is also used in SNMP, which in turn has a
demo script on rebolfrance.org... I have a remote interest in PKI, maybe
I can find some time (but I promise nothing).
--Maarten
Petr Krenzelok wrote:
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted