Simon Josefsson’s blog

Thought I’d let you know the reason why this blog has been silent for a while: Youbico. It is a new startup company that I’m involved in as head of R&D and investor. The idea is to sell a hardware USB dongle, the Youbico key, for user authentication. Initially we’ll target the OpenID community, but we are working with a number of companies looking to use the Youbico key for other applications.

That’s it basically. Again, check out our web site to find out more.

I blogged earlier about buying the Linux-based Jobo Giga Vu Pro Evolution. On 2007-04-14 I asked about the source code, and on 2007-04-23 I received a reply pointing at this URL. I see now that the file can also be downloaded (much faster) from Jobo directly.
Read the rest of this entry »

Today I sent some patches for elinks to make it better use the GnuTLS APIs. That made Elinks happily connect using TLS 1.2 to the GnuTLS test server. Would this make it the first web browser ever to support TLS v1.2? Inquiring minds wants to know.

(Yeah, I know that TLS v1.2 is not finalized yet.)

I bought a Nokia 6233 yesterday, because I lost my Nokia N80 a few days ago. One of its important features besides 3G and Bluetooth, for me, is the ability to read e-mail. Unfortunately, the devices has some serious problems with non-cleartext authentication in IMAP. What is strange is that SMTP authentication using CRAM-MD5 and DIGEST-MD5 works fine. Actually, there is more strangeness to it than this… Read the rest of this entry »

I bought a new toy yesterday, altough its silly name almost made me go for the Epson P-5000 instead. Quick testing seem to suggest that the device lives up to its promises, although there is room for improvements in the user interface.

One of my reasons of buying it was for the device to serve as my MP3 server in the office. Alas, the MP3 player is not very advanced. You just select directories, and press play. Crude as it may be, it appears to work.

What was interesting was that the manual says the device includes software released under the GPL, available upon request. Today I sent an e-mail to support@jobo.com to ask for the code. It would be nice if I could ssh into this box and run mpg123 manually. I’ll blog about my progress on that.

Anyway, the machine has some interesting specs:

• AMD Au1200 MIPS processor at 400MHz
• 128 MB DDR-SDRAM
• 32 MB Flash Rom
• 3.7″ VGA Screen
• 80 GB Hard Disk
• 2*miniUSB
• Audio+TV out
• VGA/DVI output (cable not included…)

I’ve implemented tls-authz in GnuTLS but there has been a long discussion of the patent situation for that technology on the IETF list. A few days ago there was a new IPR Disclosure with a patent license for this technology:

https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=833

I evaluated this license from a free software perspective, here is my writeup:

http://article.gmane.org/gmane.ietf.general/24690

Coverity is a tool to find security problems in code through static analysis. I’m sure it is a fine tool. There is a company behind it, Coverity Inc., and they run the tool on free software. A service like that seems like a good thing. Alas, the details of how scan.coverity.com imply that it is a bad idea for free software supporters to use the service. Here are the mistakes they made:

1. There is no notification to the project maintainer that they found problems in the code.
2. The problems they have found are not available publicly. (This _may_ be desirable, in case the problems they find are exploitable.)
3. They require that any maintainer who wish to review the problems enter into a license agreement with Coverity, Inc. The license is very biased, and all the advantages are with the company, and none with the developer. Further, they can change the license at any time, and you are (presumably) forced to follow it anyway. (Read below for a copy of the license.)

This sends the message that the site is just advertisement for their commercial proprietary products and services. Possibly it could be even worse, it can be seen as a bargaining a’la “Your software is insecure, agree to our evil license and we’ll tell you how to fix it”.

Therefor I suggest that all free software maintainers boycott the scan.coverity.com service until they get their act together.

A reasonable way to change their service to something more acceptable, and potentially even turn it into a positive contribution to the community, would be to send the list of problems to the official bug maintainer address of each project.
Read the rest of this entry »

Talking to Buanzo, I have been testing the EnigForm plugin for Mozilla. Briefly, EnigForm gives you OpenPGP signing of HTML forms, based on GnuPG, by setting some HTTP headers with the OpenPGP data. This is quite cool, I imagine two use-cases:

• PGP-based web-authentication. Type your username, have a hidden form field with a nonce, and have EnigForm sign the data. The server verifies the signature, and you have been logged on.
• PGP-protected web-based forums, bug-tracking systems, polls, etc. What you write in a HTML form is signed by EnigForm, and the server knows who wrote it, and there is persistent evidence of it. Imagine Debian votes through the web instead of via e-mail!

I think this should be documented and forwarded to the IETF for standardization. It is a good example of a simple invention that uses two existing techniques in a new way.

There was a large increase in activity on password-based SASL authentication mechanism in the Prague IETF, with three new proposals. Unfortunately, I was travelling over the I-D cutoff, so my document didn’t make it. However, I’ve now finished a -00 document for it. The goal was initially to just specify a GSS-API mechanism, but it seemed easier to specify a framework-agnostic protocol (with some influences from GSS-API and SASL) and then specify the mapping to GSS-API and SASL.

http://josefsson.org/password-auth/

Version -08 only fixes very minor WGLC comments.

Nothing to see really, but it marks progress for the document.