I'm a programmer, here are some projects I'm involved in.
My current interest is cryptographic key management and alternatives to PKI.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.
TLS Lite
Code: tls_lite python library v0.1.8 (.zip, readme.txt)
TLS Lite is a free python library that implements SSL 3.0 and TLS 1.0.
TLS Lite supports non-traditional authentication methods such as SRP,
shared keys,
and cryptoIDs, in addition to X.509 certificates. TLS Lite is pure
Python, however it can access OpenSSL or
cryptlib for faster crypto operations.
TLS/SRP
Internet-Draft: Using SRP for TLS Authentication (.txt, .html)
SRP is the best way to do password authentication across a network. TLS (aka SSL v3.1) is the best way to do channel security. What could go better together?
This draft modifies the TLS handshake to use SRP. This combination of
password-based mutual authentication and the TLS record layer is
ideal for protecting protocols like POP3 and HTTP.
DSS
Requirements: DSS Use Case Requirements Analysis (.pdf, .doc)
Specification Working Draft: Digital Signature Service Core Protocol and Elements (.pdf, .doc)
Schema Working Draft: oasis-dss-1.0-core-schema-wd-10 (.xsd)
Somewhat Related Paper: Delegated Cryptography, Online Trusted Third Parties, and PKI
(.pdf, .html)
(presented at the 1st Annual PKI Research Workshop)
The OASIS Digital Signature Service Technical Committee is designing protocols for signing, verifying, and time-stamping of XML documents and other data. The idea is to perform these operations on servers, thus freeing clients from having to manage private keys, calculate certificate paths, and so on.
Also listed is a paper arguing for the server-based approach vs. client-side PKI.
CryptoURLs
Draft of potential Internet-Draft: The "crypto" URL scheme (.txt, .html)
CryptoURLs add "crypto metadata" like content hashes and key fingerprints to normal URLs. The resulting URLs are self-authenticating, like SFS file names or Cryptographically Generated Addresses. These could be useful in:
This is a python script that generates java, python, and C# wrappers for
cryptlib. A set of wrappers for
cryptlib 3.1 is included in the .zip file. The python and C# wrappers are also included in the latest cryptlib distribution.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.
TLS Lite
Code: tls_lite python library v0.1.8 (.zip, readme.txt)
TLS Lite is a free python library that implements SSL 3.0 and TLS 1.0.
TLS Lite supports non-traditional authentication methods such as SRP,
shared keys,
and cryptoIDs, in addition to X.509 certificates. TLS Lite is pure
Python, however it can access OpenSSL or
cryptlib for faster crypto operations.
TLS/SRP
Internet-Draft: Using SRP for TLS Authentication (.txt, .html)
SRP is the best way to do password authentication across a network. TLS (aka SSL v3.1) is the best way to do channel security. What could go better together?
This draft modifies the TLS handshake to use SRP. This combination of
password-based mutual authentication and the TLS record layer is
ideal for protecting protocols like POP3 and HTTP.
DSS
Requirements: DSS Use Case Requirements Analysis (.pdf, .doc)
Specification Working Draft: Digital Signature Service Core Protocol and Elements (.pdf, .doc)
Schema Working Draft: oasis-dss-1.0-core-schema-wd-10 (.xsd)
Somewhat Related Paper: Delegated Cryptography, Online Trusted Third Parties, and PKI
(.pdf, .html)
(presented at the 1st Annual PKI Research Workshop)
The OASIS Digital Signature Service Technical Committee is designing protocols for signing, verifying, and time-stamping of XML documents and other data. The idea is to perform these operations on servers, thus freeing clients from having to manage private keys, calculate certificate paths, and so on.
Also listed is a paper arguing for the server-based approach vs. client-side PKI.
CryptoURLs
Draft of potential Internet-Draft: The "crypto" URL scheme (.txt, .html)
CryptoURLs add "crypto metadata" like content hashes and key fingerprints to normal URLs. The resulting URLs are self-authenticating, like SFS file names or Cryptographically Generated Addresses. These could be useful in:
This is a python script that generates java, python, and C# wrappers for
cryptlib. A set of wrappers for
cryptlib 3.1 is included in the .zip file. The python and C# wrappers are also included in the latest cryptlib distribution.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.
TLS Lite
Code: tls_lite python library v0.1.8 (.zip, readme.txt)
TLS Lite is a free python library that implements SSL 3.0 and TLS 1.0.
TLS Lite supports non-traditional authentication methods such as SRP,
shared keys,
and cryptoIDs, in addition to X.509 certificates. TLS Lite is pure
Python, however it can access OpenSSL or
cryptlib for faster crypto operations.
TLS/SRP
Internet-Draft: Using SRP for TLS Authentication (.txt, .html)
SRP is the best way to do password authentication across a network. TLS (aka SSL v3.1) is the best way to do channel security. What could go better together?
This draft modifies the TLS handshake to use SRP. This combination of
password-based mutual authentication and the TLS record layer is
ideal for protecting protocols like POP3 and HTTP.
DSS
Requirements: DSS Use Case Requirements Analysis (.pdf, .doc)
Specification Working Draft: Digital Signature Service Core Protocol and Elements (.pdf, .doc)
Schema Working Draft: oasis-dss-1.0-core-schema-wd-10 (.xsd)
Somewhat Related Paper: Delegated Cryptography, Online Trusted Third Parties, and PKI
(.pdf, .html)
(presented at the 1st Annual PKI Research Workshop)
The OASIS Digital Signature Service Technical Committee is designing protocols for signing, verifying, and time-stamping of XML documents and other data. The idea is to perform these operations on servers, thus freeing clients from having to manage private keys, calculate certificate paths, and so on.
Also listed is a paper arguing for the server-based approach vs. client-side PKI.
CryptoURLs
Draft of potential Internet-Draft: The "crypto" URL scheme (.txt, .html)
CryptoURLs add "crypto metadata" like content hashes and key fingerprints to normal URLs. The resulting URLs are self-authenticating, like SFS file names or Cryptographically Generated Addresses. These could be useful in:
This is a python script that generates java, python, and C# wrappers for
cryptlib. A set of wrappers for
cryptlib 3.1 is included in the .zip file. The python and C# wrappers are also included in the latest cryptlib distribution.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.
TLS Lite
Code: tls_lite python library v0.1.8 (.zip, readme.txt)
TLS Lite is a free python library that implements SSL 3.0 and TLS 1.0.
TLS Lite supports non-traditional authentication methods such as SRP,
shared keys,
and cryptoIDs, in addition to X.509 certificates. TLS Lite is pure
Python, however it can access OpenSSL or
cryptlib for faster crypto operations.
TLS/SRP
Internet-Draft: Using SRP for TLS Authentication (.txt, .html)
SRP is the best way to do password authentication across a network. TLS (aka SSL v3.1) is the best way to do channel security. What could go better together?
This draft modifies the TLS handshake to use SRP. This combination of
password-based mutual authentication and the TLS record layer is
ideal for protecting protocols like POP3 and HTTP.
DSS
Requirements: DSS Use Case Requirements Analysis (.pdf, .doc)
Specification Working Draft: Digital Signature Service Core Protocol and Elements (.pdf, .doc)
Schema Working Draft: oasis-dss-1.0-core-schema-wd-10 (.xsd)
Somewhat Related Paper: Delegated Cryptography, Online Trusted Third Parties, and PKI
(.pdf, .html)
(presented at the 1st Annual PKI Research Workshop)
The OASIS Digital Signature Service Technical Committee is designing protocols for signing, verifying, and time-stamping of XML documents and other data. The idea is to perform these operations on servers, thus freeing clients from having to manage private keys, calculate certificate paths, and so on.
Also listed is a paper arguing for the server-based approach vs. client-side PKI.
CryptoURLs
Draft of potential Internet-Draft: The "crypto" URL scheme (.txt, .html)
CryptoURLs add "crypto metadata" like content hashes and key fingerprints to normal URLs. The resulting URLs are self-authenticating, like SFS file names or Cryptographically Generated Addresses. These could be useful in:
This is a python script that generates java, python, and C# wrappers for
cryptlib. A set of wrappers for
cryptlib 3.1 is included in the .zip file. The python and C# wrappers are also included in the latest cryptlib distribution.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.
TLS Lite
Code: tls_lite python library v0.1.8 (.zip, readme.txt)
TLS Lite is a free python library that implements SSL 3.0 and TLS 1.0.
TLS Lite supports non-traditional authentication methods such as SRP,
shared keys,
and cryptoIDs, in addition to X.509 certificates. TLS Lite is pure
Python, however it can access OpenSSL or
cryptlib for faster crypto operations.
TLS/SRP
Internet-Draft: Using SRP for TLS Authentication (.txt, .html)
SRP is the best way to do password authentication across a network. TLS (aka SSL v3.1) is the best way to do channel security. What could go better together?
This draft modifies the TLS handshake to use SRP. This combination of
password-based mutual authentication and the TLS record layer is
ideal for protecting protocols like POP3 and HTTP.
DSS
Requirements: DSS Use Case Requirements Analysis (.pdf, .doc)
Specification Working Draft: Digital Signature Service Core Protocol and Elements (.pdf, .doc)
Schema Working Draft: oasis-dss-1.0-core-schema-wd-10 (.xsd)
Somewhat Related Paper: Delegated Cryptography, Online Trusted Third Parties, and PKI
(.pdf, .html)
(presented at the 1st Annual PKI Research Workshop)
The OASIS Digital Signature Service Technical Committee is designing protocols for signing, verifying, and time-stamping of XML documents and other data. The idea is to perform these operations on servers, thus freeing clients from having to manage private keys, calculate certificate paths, and so on.
Also listed is a paper arguing for the server-based approach vs. client-side PKI.
CryptoURLs
Draft of potential Internet-Draft: The "crypto" URL scheme (.txt, .html)
CryptoURLs add "crypto metadata" like content hashes and key fingerprints to normal URLs. The resulting URLs are self-authenticating, like SFS file names or Cryptographically Generated Addresses. These could be useful in:
This is a python script that generates java, python, and C# wrappers for
cryptlib. A set of wrappers for
cryptlib 3.1 is included in the .zip file. The python and C# wrappers are also included in the latest cryptlib distribution.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.
TLS Lite
Code: tls_lite python library v0.1.8 (.zip, readme.txt)
TLS Lite is a free python library that implements SSL 3.0 and TLS 1.0.
TLS Lite supports non-traditional authentication methods such as SRP,
shared keys,
and cryptoIDs, in addition to X.509 certificates. TLS Lite is pure
Python, however it can access OpenSSL or
cryptlib for faster crypto operations.
TLS/SRP
Internet-Draft: Using SRP for TLS Authentication (.txt, .html)
SRP is the best way to do password authentication across a network. TLS (aka SSL v3.1) is the best way to do channel security. What could go better together?
This draft modifies the TLS handshake to use SRP. This combination of
password-based mutual authentication and the TLS record layer is
ideal for protecting protocols like POP3 and HTTP.
DSS
Requirements: DSS Use Case Requirements Analysis (.pdf, .doc)
Specification Working Draft: Digital Signature Service Core Protocol and Elements (.pdf, .doc)
Schema Working Draft: oasis-dss-1.0-core-schema-wd-10 (.xsd)
Somewhat Related Paper: Delegated Cryptography, Online Trusted Third Parties, and PKI
(.pdf, .html)
(presented at the 1st Annual PKI Research Workshop)
The OASIS Digital Signature Service Technical Committee is designing protocols for signing, verifying, and time-stamping of XML documents and other data. The idea is to perform these operations on servers, thus freeing clients from having to manage private keys, calculate certificate paths, and so on.
Also listed is a paper arguing for the server-based approach vs. client-side PKI.
CryptoURLs
Draft of potential Internet-Draft: The "crypto" URL scheme (.txt, .html)
CryptoURLs add "crypto metadata" like content hashes and key fingerprints to normal URLs. The resulting URLs are self-authenticating, like SFS file names or Cryptographically Generated Addresses. These could be useful in:
This is a python script that generates java, python, and C# wrappers for
cryptlib. A set of wrappers for
cryptlib 3.1 is included in the .zip file. The python and C# wrappers are also included in the latest cryptlib distribution.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.
TLS Lite
Code: tls_lite python library v0.1.8 (.zip, readme.txt)
TLS Lite is a free python library that implements SSL 3.0 and TLS 1.0.
TLS Lite supports non-traditional authentication methods such as SRP,
shared keys,
and cryptoIDs, in addition to X.509 certificates. TLS Lite is pure
Python, however it can access OpenSSL or
cryptlib for faster crypto operations.
TLS/SRP
Internet-Draft: Using SRP for TLS Authentication (.txt, .html)
SRP is the best way to do password authentication across a network. TLS (aka SSL v3.1) is the best way to do channel security. What could go better together?
This draft modifies the TLS handshake to use SRP. This combination of
password-based mutual authentication and the TLS record layer is
ideal for protecting protocols like POP3 and HTTP.
DSS
Requirements: DSS Use Case Requirements Analysis (.pdf, .doc)
Specification Working Draft: Digital Signature Service Core Protocol and Elements (.pdf, .doc)
Schema Working Draft: oasis-dss-1.0-core-schema-wd-10 (.xsd)
Somewhat Related Paper: Delegated Cryptography, Online Trusted Third Parties, and PKI
(.pdf, .html)
(presented at the 1st Annual PKI Research Workshop)
The OASIS Digital Signature Service Technical Committee is designing protocols for signing, verifying, and time-stamping of XML documents and other data. The idea is to perform these operations on servers, thus freeing clients from having to manage private keys, calculate certificate paths, and so on.
Also listed is a paper arguing for the server-based approach vs. client-side PKI.
CryptoURLs
Draft of potential Internet-Draft: The "crypto" URL scheme (.txt, .html)
CryptoURLs add "crypto metadata" like content hashes and key fingerprints to normal URLs. The resulting URLs are self-authenticating, like SFS file names or Cryptographically Generated Addresses. These could be useful in:
This is a python script that generates java, python, and C# wrappers for
cryptlib. A set of wrappers for
cryptlib 3.1 is included in the .zip file. The python and C# wrappers are also included in the latest cryptlib distribution.
CryptoIDs
Paper 1: Public Key Distribution through "cryptoIDs" (.pdf, .html) (presented at NSPW 2003)
Paper 2: The CryptoID Key Management Protocols (.pdf) (the best introduction)
Schema: XML Schema for <certChain> (.xsd)
Code: CryptoIDlib Python and Java library and command-line tool v0.1.8 (.zip, readme.txt)
PKI isn't working for person-to-person communications. Few people use secure email, voice, instant-messaging, or anything else.
CryptoIDs are an alternative. The idea is for people to exchange small, user-friendly fingerprints (aka "cryptoIDs") like 'cyhf4.9ajd8.kbdx4.rk98c'. These could be passed around and stored in address books as if they were phone numbers or postal addresses.
The cryptoID for each user would correspond to that user's root key. The user would keep his root key in a safe place - his employer or some commercial service might hold it for him. The rootholder would operate an online service which would issue short-lived subkey certificates or validation signatures to the user.
CryptoIDs, then, are about combining fingerprint-based public-key distribution with certificate-based private-key management. The first paper above presents the cryptoID fingerprint and certificate formats, which are designed specifically for this. CryptoIDlib lets you test-drive these formats.
The second paper presents private-key management protocols for use with online servers.
Support for these is being added to cryptoIDlib.