Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:48336
Return-Path: <nrixham@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63532 invoked from network); 19 May 2010 00:22:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 May 2010 00:22:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=nrixham@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=nrixham@gmail.com; sender-id=pass; domainkeys=bad
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: nrixham@gmail.com
X-Host-Fingerprint: 74.125.82.170 mail-wy0-f170.google.com  
Received: from [74.125.82.170] ([74.125.82.170:40013] helo=mail-wy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9D/56-27340-F5F23FB4 for <internals@lists.php.net>; Tue, 18 May 2010 20:22:56 -0400
Received: by wyb40 with SMTP id 40so216983wyb.29
        for <internals@lists.php.net>; Tue, 18 May 2010 17:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:reply-to
         :user-agent:mime-version:to:cc:subject:references:in-reply-to
         :content-type:content-transfer-encoding;
        bh=x2qZEvggJjLp5v9tc2NLppA0Zkcs7+8AifQRac7xTKE=;
        b=UPaSbSBWuaYn6KoLFRgqZvLb4YUVz6dGndf4MN3UzrX5sP7gUFccFcoJ2M7jar5gjE
         d1ros2t8eQ5D6CF5faR0IxZBYaPhepZMu/WjJCvGWFQsAzZ4fNWQShsLHe5WSfKNfAWD
         BkjZERbue6nDdSKKFc9/6e7ZRBQGgx+qlNYfI=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        b=oxy9w1gWOQR2jPChFJB+lB2kmMZdfotz7vF9nxbyW1VG9bhD/g9aDykivmY+5ILhmL
         MEKooSntESHibLdxoUTVa2yNXbGXtcEbqThOpOrS3aJKMb0sJdqaYqCJs589AIC6e5cG
         nU/2wLF1aTd5J4KkYyU8yt/GBZU5031894fOo=
Received: by 10.227.152.76 with SMTP id f12mr6968000wbw.54.1274228572954;
        Tue, 18 May 2010 17:22:52 -0700 (PDT)
Received: from [192.168.1.65] (host86-147-36-254.range86-147.btcentralplus.com [86.147.36.254])
        by mx.google.com with ESMTPS id h22sm8106857wbh.3.2010.05.18.17.22.51
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Tue, 18 May 2010 17:22:52 -0700 (PDT)
Message-ID: <4BF32F47.8030104@gmail.com>
Date: Wed, 19 May 2010 01:22:31 +0100
Reply-To: nrixham@gmail.com
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Sriram Natarajan <sriram.natarajan@gmail.com>
CC: internals@lists.php.net
References: <CC.D0.02762.88852FB4@pb1.pair.com> <AANLkTik-ytoV5kWbnZm7ZPTxaShjrdDm8RPOev8fCzjS@mail.gmail.com>
In-Reply-To: <AANLkTik-ytoV5kWbnZm7ZPTxaShjrdDm8RPOev8fCzjS@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] SPKAC support for openssl in PHP
From: nrixham@gmail.com (Nathan Rixham)

Moving forwards a lot of authentication will be done in an HTTP friendly 
stateless manner, namely via HTTPS where the user is identified by 
client side ssl certificates.

In order to give the user a certificate, you need to generate one, which 
you can currently do with openssl in php, and provide the user with a 
pkcs12 certificate+private key to install.

However, pkcs12 has a security flaw in the the application giving the 
certificates also has the private key. SPKAC addresses this because the 
private key never leaves the users browser, thus it is the preferred 
option - and as mentioned there will be an ever increasing need for this 
in PHP once HTML5 takes off (due to the KEYGEN element which is widely 
supported already) and FOAF+SSL which as I mentioned will be going 
through standardisation in the near future.

Best,

Nathan

Sriram Natarajan wrote:
> I am curious as to why you need this feature within PHP. I would
> expect that web server administrators typically need such feature but
> I am missing the context of it within PHP script engine.
> 
> - Sriram
> 
> On Tue, May 18, 2010 at 2:05 AM, Nathan Rixham <nrixham@gmail.com> wrote:
>> Hi All,
>>
>> Wondering if there is any support for SPKAC [1] in the openssl extension for
>> PHP?
>>
>> If not is it planned, and if not can it be? KEYGEN/SPKAC support is growing
>> in the UA vendors and KEYGEN is part of HTML5, being the preferred way to
>> generate client side SSL certificates since the private key never leaves the
>> browser. Further the need for client side certificate generation will be
>> growing somewhat over the next couple of years thanks to FOAF+SSL - which I
>> believe is about to start going through standardisation.
>>
>> At the minute we have to take a rather hacky approach in PHP [2] and it
>> get's much worse if you want to use x509 v3 extensions, you have to go
>> through a nasty process of using a bash script to gen a custom openssl.conf
>> on the fly to use in the SPKAC request.
>>
>> Best,
>>
>> Nathan
>>
>> [1] http://en.wikipedia.org/wiki/Spkac
>> [2]
>> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080714/07ea5534/attachment.txt
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>