Wednesday Nov 12, 2008

Moving My Blog...

I've decided to start a new blog on WordPress.
I'll cover more topics although I do expect to still focus quite a bit on identity management and web services!
I see that as a chance for me to get more motivated about my blogging!


Tuesday Nov 11, 2008

Public/Private keys and X.509 certificate

Browsing here and there I gathered the following steps to create a set of public/private keys to digitally sign messages (or assertions) along with the corresponding X.509 certificate (for the public key). The following steps assume OS X but most of it, being based on openssl, is pretty UNIX generic. Hopefully it can save someone else from searching for such info...

  1. Creating key pair
    keytool -genkey -alias SL -keyalg RSA -validity 365 -keystore keys/my.keystore
  2. Displaying the result
    (cd keys)
    keytool -list -keystore my.keystore
    keytool -list -v -keystore my.keystore
  3. Creating a CSR
    (cd ..)
    keytool -certreq -keystore keys/my.keystore -alias sl -file SL_certification_signing_Request.pem
    openssl req -noout -text -in SL_certification_signing_Request.pem
  4. Resetting counter to 0
    (mkdir demoCA)
    echo 00 > demoCA/serial
  5. Creating a CA
    /System/Library/OpenSSL/misc/ -newca
    [You'll need to remember that PEM pass phrase]
  6. Signing the certificate request
    openssl ca -in SL_certification_signing_Request.pem -out signed_cert_request.pem -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem
  7. Verifying that the client cert was indeed signed by the CA
    openssl verify -CAfile demoCA/cacert.pem signed_cert_request.pem

Additionaly, you may have to convert the certificate to something that's easier to deal with programmatically.
I have successfully used the following commands to do so:

  1. Converting signed certificate into file certificate with only data between "----CERTIFICATE---"
    openssl x509 -in signed_cert_request.pem -out signed2_cert_request.pem
  2. Converting certificate into a PKCS#7 file
    openssl crl2pkcs7 -nocrl -certfile signed2_cert_request.pem -certfile demoCA/cacert.pem -outform DER -out certificate.p7c

Wednesday Dec 20, 2006

Too Tagged To Ignore It...

Okay, I've now been tagged by at least 3 different esteemed colleagues (Conor, Gerry and Paul - alphabetical order so as to not favor anyone) so I guess I need to act upon it. So here we go:

  1. My paternal grandfather (Dr. Nguyen Van Thach) was a politician in Vietnam (Saigon). Although he too was favoring independence (from the French) he got assassinated by the Communists in 1946 hence triggering the exodus of my family to France.
  2. I always wanted to be a fighter pilot but my eyes failed me...
  3. My favorite seasoning is the nuoc-mam (aka. fish sauce). My wife always complains that I put it on every dish thus ruining them (what can I do? I grew up with that!)
  4. I may have some British ancestor (shocking!) ;-)
  5. Here's a secret recipe for beautiful children: ethnic mixity. Mine are half French, a quarter Cantonese and a quarter Vietnamese and they're beautiful!  :-)

I guess I should tag other people now...hmm...since I've waited too long it seems pretty much everyone in Identity has been tagged already!
Wait I know who has been spared so far: Brett, Timo, Takashi You're it!

Tuesday Dec 19, 2006

HOWTO: Creating & Mounting a Solaris partition on a USB disk drive

For a change, this entry will not be about web services or identity management. It's all about using Solaris commands to create a Solaris partition on a USB removable disk drive. Since I didn't find anything that looked like a short HOWTO for this I thought I'd create a post on that so here we go:

  1. /etc/init.d/volmgt stop
    This turns off vold - not always friendly with usb mass storage devices)
  2. svcs volfs
    It should show volfs as disabled (after step 1).
  3. rmformat -l
    To list the removable devices; this allows to figure out where is my usb disk! (/dev/rdsk/c4t0d0p0 in this example).
  4. fdisk /dev/rdsk/c4t0d0p0
    To create the main Solaris partition. If no partition were initially present, just answering yes to the subsequent question will assign 100% of the disk to Solaris.
    side note: some of you may remember that Linux & Solaris did not like to be on the same disk since Solaris uses the same file format type number than Linux...Well the good news is that one can (and should) use the Solaris2 type so as to avoid those conflicts.
  5. /rmformat -s /tmp/my_slices /dev/rdsk/c4t0d0p0
    Where my_slices is a text file that describes my slices in the partition. Note Solaris has one "main" partition that you divide in slices (8 max). The slice #2 represents the entire filesystem while others are your own partition). An example of such file would be:
    slices:    2 = 0, 350GB, "wm" "backup" :
                   8 = 0, 350GB, "wm", "name"
  6. prtvtoc /dev/rdsk/c4t0d0p0
    To display the toc on the usb disk and make sure the change took effect.
  7. newfs -v /dev/rdsk/c4t0d0s8
    Assuming you've labeled your partition as #8 (like in the example above).
  8. mount /dev/dsk/c4t0d0s8 /mnt
    Note that it is 'dsk' and not 'rdsk' since we're now addressing the disk in block mode and not the raw disk when we wanted to format it.


That's it, you now can stuff this partition with plenty big files or use it as a backup media (my case).




Wednesday Sep 06, 2006

Jacques P├ępin and the Lobster

I just watched a program with Jacques Pépin on public television (KQED). He was presenting a French recipe called lobster Fricassée (see here and search for lobster ) and as a preliminary explained what is the fastest way (thus least painful) to actually kill the beast. Quite interesting and surprising at the same time; I would not have expected to see him actually perform the execution on TV. But as he puts it, it’s either the fishmonger or you but someone has to kill it. At least his method was definitely very quick.

Very refreshing to watch that on American TV after reading articles about some stores that decided to stop selling live lobsters or stories about the ban on foie gras in Chicago and elsewhere.

Wednesday May 18, 2005

Microsoft's InfoCard

Microsoft recently shed more light on their new identity project called the Identity Metasystem. A core component of it is InfoCard. Actually InfoCard is composed of 2 elements:

- Identity selector: it will reside on the PC and will act as a sort of broker for the user by negotiating between the identity providers and the relying party. Note that the term identity provider has a quite different meaning that the one used in other identity framework (like Liberty). In Microsoft's Identity Metasystem, an identity provider issues digital identities that are relevant to the business it is in. For instance, a credit card provider would issue identities that enable payment (so credit card number info or whatever is needed for a payment). To me such identity provider is more of an attribute provider but maybe I sent too much time working on Liberty? The relying party is a service provider that is also InfoCard enabled.

- Self-issued identity provider: a PC will be able to store some of the user's personal information in a secure area of the operating system. The InfoCard client application (on the PC) can then provide these data to relying parties. Microsoft says that the data stored on the PC cannot be sensitive information (e.g. social security numbers...). While this is an interesting concept, storing locally personal attributes is raising the issue of availability: unlike digital identities stored on an identity provider the self-issued digital identities are only available when you're using your PC.

Gathering as much info as I could, I have created the following diagram to illustrate how InfoCard would actually work. I'd be happy to hear any comment on it (or corrections if I got something wrong).

Now an interesting question is how this is going to work with other identity frameworks? Microsoft called this architecture Identity Metasystem since it is supposed to be above (and play nicely with) existing systems.
I could imagine this being used on top of SAML2.0 or Liberty ID-FF1.2 but obviously this architecture is in direct competition with Liberty's ID-WSF framework.
I'm sure I'll come back to this.

Tuesday May 17, 2005

Monaco GP

Ok, so this week-end the most glamorous, the most exciting race of the F1 circuit will take place. Of course I'm talking of the Monaco Grand Prix.
I drove there (on the street where the track is laid out) in the past and I'm amazed at the speed these drivers reach. See this interactive map for a complete description of the track.
Last year. Trulli won the only victory of the season for Renault. This year I would not be surprised to see Renault claiming its fifth (yes five!) victory of the season (4 out of 6 so far !). But of course it all depends on the qualification and the starting grid. More than any other race, Monaco is the one you want to be on the front row.
Unfortunately, if you live in the US (at least on the West coast) the only way for you to watch the races is to susbcribe to SPEED channel (available on Dish network and probably elsewhere). Although this year CBS did broadcast some races (which I wish they were not - they are soooo bad!).

Newbie on the blog

Woohh, so here am I starting my very first blog!

I have only recently joined Sun so I've been quite busy, trying to figure out where things are and what I'm suppose to do - although I have to say I'm involve in a project that did not really leave me a lot of time to think about important issues like where should I put things like this on my desk :-) (more to come one what I'm working on).
I've read quite a few blogs (some regularly) but being on the producer side rather than the consumer is quite new for me so bear with me and let's try to have fun!



« July 2016