On 27.06.2015 11:17, Chris Angelico wrote: > Good, so this isn't like that episode of Yes Minister when they were > trying to figure out whether to allow a chemical factory to be built.
I must admit that I have no clue about that show or that epsisode in particular and needed to read up on it: https://en.wikipedia.org/wiki/The_Greasy_Pole >> I must admit that I haven't seen your ideas in this thread? > > No, the proposal I'm putting together is unrelated. You'll see the > *vast* extent of my security skills here: > > https://github.com/Rosuav/ThirdSquare > > My contribution to this thread has been fairly minor, just suggesting > one attack that doesn't even work any more, not much else. Well, if people already have a solution ready there's a good chance that any criticism falls on deaf ears. In any case something that others have to be responsible for, their party, their choice. I've looked at your code even though I don't know pike. That's the typesafe JavaScript derivative, isn't it? The only thing that I found horrible was the ssh key format to PKCS parsing. Man that's hacky :-) You're creating a DER structure on-the-fly that you fill with the key and that you then have parsed back. I've only seen ssh-keygen used to generate keys (not to initiate actual ssh connections), why don't you use openssl to generate the keys? I think you can generate a RSA keypair in openssl (also valid for ssh should you need it) and I'm pretty sure that you can generate a ssh public key with ssh-keygen from that private keypair file. That would eliminate the need to do this kind of parsing, but it's just a PoC as I understand it. It appears to be online-only, is that correct? Is Internet coverage so good down under? I wish this were the case in Germany :-/ Not 100% about it, but I think that the bus concepts that are active in Germany (locally in some cities) either user asymmetric transponders (i.e. SmartMX), which gives a beautiful, decentralized, secure and offline solution at the cost of being comparatively expensive. The others use symmetric transponders which have limited off-line functionality: i.e. monotonic counters which are reset in a cryptographically secured way by backend systems every time a online-connection persists and which are counted down in the offline case. In any case, interesting. Thanks for sharing. Best regards, Johannes -- >> Wo hattest Du das Beben nochmal GENAU vorhergesagt? > Zumindest nicht öffentlich! Ah, der neueste und bis heute genialste Streich unsere großen Kosmologen: Die Geheim-Vorhersage. - Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1...@speranza.aioe.org> -- https://mail.python.org/mailman/listinfo/python-list