couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Albin Stigö <albin.st...@gmail.com>
Subject Re: Cryptograhically signed docs...
Date Wed, 04 Jul 2012 18:43:07 GMT
Sounds interesting.. I think I will take this to the developers mailing
list and see if I will be able to generate some interest in the idea..

Albin

onsdag den 4. juli 2012 skrev Jan Bot :

> Hi,
>
> This would really be a great feature: I'm using CouchDB to manage grid
> compute jobs and having the ability to sign a document using a private key
> and check it server side with the public key could really make couchdb part
> of the grid infrastructure.
>
> Cheers,
>
> Jan
>
> On Wed, Jul 4, 2012 at 11:17 AM, Albin Stigö <albin.stigo@gmail.com<javascript:;>>
> wrote:
>
> > Hi,
> >
> > Jens, thanks for the link. Did you ever finish the app where you were
> > using these techniques?
> >
> > First I naively thought that it would be enough to hash the body of
> > what you are going to PUT/POST and then sign that hash and include the
> > signature as a custom http header. I guess this would work for
> > verifying the data on the first post but you would not be able to
> > verify the signature later if couchdb does any parsing of the
> > transported data.
> >
> > What you are suggesting using a canonical representation of of JSON
> > seems like a much better idea it also apparently what oauth uses.
> >
> > I guess this would require some hacking on couchdb. It would be really
> > neat to have a _keys database much like the _users and for for
> > documents to have a _signature field. What do you thin..?
> >
> > --Albin
> >
> >
> >
> > On Wed, Jul 4, 2012 at 3:07 AM, Jens Alfke <jens@couchbase.com<javascript:;>>
> wrote:
> > >
> > > On Jul 3, 2012, at 10:01 AM, Jim Klo wrote:
> > >
> > >> Yes, and as a matter of fact, i just got digital signature validation
> > using OpenPGP within a map function working a few minutes ago!
> > >> Here's a link to the relevant code:
> >
> https://github.com/jimklo/TheCollector/blob/master/dataservices/thecollector-resources/views/lib/sig_utils.js
> > >
> > > As far as I can tell, this code uses a data schema where the signed
> > contents are wrapped in some kind of OpenPGP encoding:
> > >
> > >>         var msg_list =
> > openpgp.read_message(doc.digital_signature.signature);
> > >>         for (var i=0; i<msg_list.length; i++) {
> > >>             isValid |= msg_list[i].verifySignature();
> > >>         }
> > >
> > > It looks like msg_list is the actual document payload, which has to be
> > decoded using openpgp.read_message.
> > >
> > > This is IMHO not a very good solution because it hides the document
> > contents away — for example, all the map functions and any app logic that
> > uses documents will have to know to call read_message, which will also
> make
> > them slower.
> > >
> > > The schema I implemented (see my previous message) doesn't alter the
> > basic document format. The signature is in a nested object but applies to
> > the entire document contents (minus the signature itself of course).
> > There's no need to change any code that reads documents; the only time
> you
> > have to know about the signature scheme is while verifying the signature.
> > It's even possible to have multiple signatures on a document.
> > >
> > > —Jens
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message