[aerogear-dev] Passphrase encryption - REST API discussion

Bruno Oliveira bruno at abstractj.org
Thu Mar 13 09:16:59 EDT 2014 

Ahoy, regarding the HTTP header we can move it to the body. What would you suggest?

Other answers inline.

--  
abstractj

On March 13, 2014 at 10:02:04 AM, Matthias Wessendorf (matzew at apache.org) wrote:
> On Thu, Mar 13, 2014 at 12:59 PM, Bruno Oliveira wrote:
> > iOS Variant:
> >
> > - HTTP request
> >
> > Remain unchanged, but now certificate and passphrase can be send
> > encrypted and the server will store it.
> >
>  
>  
> encrptyed w/ the help of the public-key ?

Totally correct

>  
>  
>  
>  
> >
> > - HTTP response
> >
> > Remain unchaged
> >
> > Sender:
> >
> > - HTTP request
> >
> > Remain unchanged,
>  
>  
>  
> w/ "unchanged" you basically mean the payload of the "Send request" is the
> same as it is today, right ?

Correct. But with we agree on the flag, might be necessary to include something like “protected: true” as optional argument. Or any other thing to let the server know.

>  
>  
>  
> > but now the server will search for the application ID and retrieve the
> > public key to decrypt application's passphrase
> >
>  
>  
> Ok, that's internal details. So the server basically deprcypts both: cert
> and its passphrase, in order to establish the connection to APNs

Correct

> >
> >
> > AeroGear Clients
> >
> > - cURL
> >
> > Yesterday I had the amusing experience of dig into the sources of OpenSSL
> > and their documentation, to see how people could encrypt it from the
> > command line. If I recommend that people would remember my name for the
> > eternity in a bad way. Another insane idea was to provide encoders for GPG.
> > The simplest idea, I think, would be provide code for people encrypt their
> > passphrase and certificate, instead of trust in some software.
> >
>  
> but that's really just for the "registration part", right ? I don't care
> that much about a cumbersome API there :-) Because in 99% of all cases the
> actual registration (and cert/passphrase upload) is done via the sexy Admin
> UI.
>  
>  
> The CURL for the send stays the same as it is today, right ?

Correct. The sexy admin UI is not really a concern to me, but the clients external to it. The goal is mostly provide options for people encrypt their thing.

> >
>  
>  
> It looks like it goes towards the right direction!
>  
> Thanks for looking into it
>  
>  
> --
> Matthias Wessendorf
>  
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

More information about the aerogear-dev mailing list