If you are a web developer, and have access to a mod_openpgp enabled Apache Server, then you will find this information interesting (or at least, useful!).
Enigform is a Firefox extension that, basicly, adds headers to an outgoing HTTP request. This outgoing request becomes an "OpenPGP Signed Request". A request is signed by Enigform when:
When such a signed request is received by mod_openpgp, it gets processed accordingly. This means the headers and body of the request are analyzed and verified and/or acted upon. The results of these verifications (status of signature, session, etc) are appended to another set of headers. These second set of headers are checked for spoofing. That means no client can append them arbitrarily to a request.
Let's analyze those two sets of headers. First, the headers added by Enigform. Second, the headers added by mod_openpgp.
This means the request is Signed. In the future, "E" for Encrypted and "SE" for both Signed and Encrypted will be supported.
This states which elements are signed, and in what order they were submitted to the OpenPGP application. As you can see, only the "body" of the request was signed. In the example, the body is the POST payload, or "variable=value". In a GET request, the "body" would be the QUERY STRING; session means the value of the X-OpenPGP-Session header is also included in the signature.
This is the OpenPGP signature itself, converted from its standard three-line form to a simple string.
This is the hash algorithm used, in this case SHA1. This depends on what choices the OpenPGP application provides and what the user chooses to use.
This is the OpenPGP application's name, version, and platform. This is extracted from the "Version:" field of standard, signed, ASCII armored OpenPGP output.
Name and version of the Enigform plugin, including platform. So far, only Mozilla Firefox is supported (1.5 through 3.0).
A classic HTTP session hash, obtained through a method known as "Secure Session Initiation".
Indicates the request is signed by a key which is known to the virtualhost's keyring (See ModOpenpgp.Configuration)
Fingerprint of the public key. 40 bytes for a known key, 16 otherwise.
Indicates the request has a good signature. You should not trust this value alone. It ONLY indicates the request's signature itself has been correctly verified, not that the request was actually been sent by the user. See HTTP.ReplayAttacks? for more details.
ID of the Public Key used to sign the request. Basicly, the last 16 bytes of X-Auth-OpenPGP-Fingerprint.
Can be one of three values: Valid, Invalid, Timeout. (TODO: Add more details. In the meantime, they are explained in mod_openpgp's source code).
For a known public key, these fields get added, which are self-explanatory:
More details on session-management:
mod_openpgp still needs some of this code polished/implemented, but the idea is that we have a mod_openpgp option to define if we want the client's IP address to be used as countermeasure for replay attack.
If it IS taken into account, then I think there's a very interesting approach for "Automatic IP Change Revalidation", that is, if the LEGIT user has his IP changed during a session, how can mod_openpgp tell the difference between a valid, but with a different IP, request, and an illegal (replayed by an attacker) one?
I think it could be something like this:
1) User begins session. Uses IP 220.127.116.11 2) User browses website. IP is still 18.104.22.168. 3) Suddenly, IP changes to 22.214.171.124. Next request to website is legal, but IP is different. 4) Server takes into account changes in IP. As the request looks valid (digital signature verifies). It answers with a 302 HTTP Redirect to the SAME url, but with a special ##REVALIDATE_SESSION## anchor appended. 5) Enigform (in User machine) detects this session revalidation request, and requests a new session. The new session code is obtained and replaces old one. 6) Request continues to same url, but is now auto-revalidated!
What do people think of this?