[x3d-public] Apache Santuario Java - XML security test sat

John Carlson yottzumm at gmail.com
Fri Dec 6 02:22:27 PST 2019


Here is even more reason not to use RSA with GPG.  It can be cracked by
listening to the computer noises!
https://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu


On Fri, Dec 6, 2019 at 4:17 AM John Carlson <yottzumm at gmail.com> wrote:

>
> Here is some info on using RSA with GPG and migration away from RSA:
>
>
> https://security.stackexchange.com/questions/178994/generate-new-key-ecc-vs-rsa
>
>
>
>
> On Fri, Dec 6, 2019 at 4:10 AM John Carlson <yottzumm at gmail.com> wrote:
>
>>
>>
>> On Thu, Dec 5, 2019 at 5:25 PM <yottzumm at gmail.com> wrote:
>>
>>>
>>> I would tend to use Gnu Privacy Guard (GPG)with JSON and have already
>>> implemented some simple test cases for X3D JSON (somewhere), however the
>>> information about GPG may be around 8 years old, and I don't know what
>>> they're doing with RSA in GPG.  I can ask a few of my security friends if
>>> someone becomes very interested in this.
>>>
>>
>> After some putzing around with the code, I got x3dserve working locally.
>> Here is the source code:
>>
>> https://github.com/coderextreme/x3dserve
>>
>> Note that I no longer use a stylesheet to convert XML to JSON.  I use my
>> own serializer.  This was because I couldn't get java to work from node.js
>> code.   Well, I didn't want to install python 2.7 which node-gyp seems to
>> depend on.
>>
>> But I think most aspects of encryption are covered.
>>
>> Further work involved removing dependencies on Python 2.7 in X3DJSONLD.
>> Python 2 support ends at the end of the month!
>>
>> Hopefully the node-gyp/java guys will get on the ball, and I won't have
>> to flip any other code.
>>
>> This is a warning for all those that reinstall X3DJSONLD.  Keep your
>> environment the same until I can upgrade X3DJSONLD.
>>
>> Also this puts more pressure on Saxonica to get a good free JavaScript
>> version in the browser.
>>
>> Good luck if you use my code.  It's intended for private use, and not to
>> be put up on a server.
>>
>> It appears that the default --gen-key with GPG uses RSA.  That is
>> something that should be looked at.
>>
>> John
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20191206/1195a03d/attachment-0001.html>


More information about the x3d-public mailing list