[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

new MIT software release

A new release of the MIT SDSI/SPKI C software distribution is 
available.  Go to


and follow the software distribution links in the paragraph about 
SDSI/SPKI 2.0.  Note that you must be a US or Canadian citizen, etc., 
to get this software.  

The following binary builds are available:


Intel Linux and Irix builds will be available soon.

These are all build from the source distribution:


Many bugs were fixed in this release.  See ChangeLog in the source
distribution for the details (this file should be included in these
binary distributions, but it isn't - again, my bad).

More general notes from the 0.3.0 README:

Release 0.3.0

Signatures generated with releases 0.2.0 and earlier were broken -
their PKCS-1 encodings were not correct.  This has been corrected in
this release, but it means that all old signatures are now invalid.

For consistency, some library functions have been renamed and had
their semantics changed.  sdsi2_hash_verify and sdsi2_signature_verify
have been replaced by sdsi2_hash_check, and sdsi2_signature_check and
sdsi2_signature_check_with_sexp.  The new functions behave like the
rest of the library and return zero on success.

This release allows some flexibility in key algorithm names.  Signing
algorithm and encoding method combinations that imply or preserve the
hash algorithm used to sign can be used to name a key without
specifying a hash algorithm - leaving that algorithm to be chosen at
signing time.  For example, rsa-pkcs1 is a valid key algorithm name,
since the combination of RSA and PKCS-1 encoding will allow the
verifier to recover the name of the hash algorithm used from the

pgp-ssh-to-sdsi2, the program that deals the most with key algorithm
names, and sdsi2sh have been modified to support naming keys with no
hash algorithm.  See some brief notes in the main documentation, under
"Making a SDSI principal file", and "Using the shell", about how this
affects use of these programs.

Preliminary DSA support has been added.  The library can parse DSA
public and private keys, but you really can't do much with them yet -
since the grammar for <sig-val> has to be changed to support DSA's
signature value pairs.  This release has the code for that change in
it, but disabled - if you can get your hands on a SDSI DSA key and
want to work with it, define SDSI2_FEATURE_STRUCTURE6_SIGS in
sdsi2.h.in and recompile the library.  This will force <sig-val>s to
always be S-expressions, and not just a bytestring.

The type of the <sig-val> S-expression will be the exact same key
algorithm name on the verification key.  What follows depends on that
key algorithm name.  For example, under SDSI2_FEATURE_STRUCTURE6_SIGS,
possible <sig-val>s are:

(rsa-pkcs1-md5 |123abc==|)

(dsa-sha1 (r |def456==|) (s |1687a9==|))

Again, all of this new <sig-val> stuff is disabled by default.

sdsi2sh now supports a -delay command line switch, to delay prompting
for a passphrase to unseal your private key until you first want to
sign something.  Since the shell does stuff other than sign, this
makes it more reasonable to write scripts for it.

Better Perl 5 support in sdsi2ui.  At start time, reports the version
of Perl running the scripts and whether or not it has taint checks.  I
still don't know much about Perl 5, but hopefully sdsi2ui will work in
most installations.  Or, at least tell you why it won't.


Matt Fredette
fredette@bbnplanet.com, fredette@mit.edu, fredette@theory.lcs.mit.edu
"The first time the Rolling Stones played, three people came."