xkapastel has quit [Quit: Connection closed for inactivity]
ubLIX has quit [Ping timeout: 245 seconds]
<Guest44825>
whois rcs_
Guest44825 has quit [Quit: Leaving]
Guest44825 has joined #picolisp
Guest44825 has quit [Client Quit]
Guest34125 has joined #picolisp
Guest34125 has left #picolisp [#picolisp]
rcs__ has joined #picolisp
rcs__ has quit [Quit: Leaving]
<razzy>
Good morning :]
<razzy>
Regenaxer: could you please give example of "clash"? reason behind using (de usect ("Var" . "Execu") (...)) exept passing multiple Arguments to function?
<Regenaxer>
see the faq
<razzy>
ok
<razzy>
Regenaxer: could you point me closer? function FAQ at picolisp.com does not seem to hold answer.
<Regenaxer>
doc/faq.html#problems
<beneroth>
Good morning Regenaxer
<Regenaxer>
Hi beneroth!
<Regenaxer>
razzy: Or use namespaces
<Regenaxer>
But debugging transient variables is also possible, with 'loc'
<Regenaxer>
or simply 'bt' backtracing
<razzy>
Regenaxer: thx, i found reasoning. i will not use transients. i need to add tooling slowly. and if self referencing is only problem, i can live with that.
<razzy>
namespaces i will use in future
<Regenaxer>
ok, but try first to understand 'exe's vs. 'prg's and the resulting use of FEXPRs
<Regenaxer>
and the resulting meaningful naming of parameters/variables
<beneroth>
razzy, follow the naming conventions
<Regenaxer>
You call something which is an exe a "Prg", and thats messing it up
<razzy>
Regenaxer: is "Prg" and "Exe" just naming convention important for programmer?
<Regenaxer>
Sorry, I will not answer this question.
<razzy>
i will try to follow naming conventions. but i would like to know if interpretter somehow care about Prg name.
<Regenaxer>
Think about it
<Regenaxer>
please
<beneroth>
forget it, Regenaxer.
<Regenaxer>
sigh
<tankf33der>
picolisp can compile and pass tests on linux 5.0 kernel
<beneroth>
nice! thanks tankf33der !
<Regenaxer>
Hi tankf33der
<Regenaxer>
great!
<Regenaxer>
tankf33der, which cryptographic hash would you recommend to sign (verify) a small set of data (perhaps 5 to 10 pieces, name, address, tel, email etc.)?
<Regenaxer>
sha256 ?
<tankf33der>
how you will hash it? by picolisp?
<Regenaxer>
yes
<tankf33der>
or native call with library?
<tankf33der>
picolisp, ok
<Regenaxer>
It should be verifyable by everybody
<Regenaxer>
so a command line tool
<Regenaxer>
on every OS
<tankf33der>
i see
<tankf33der>
you meant sha1sum like, right?
<Regenaxer>
yeah
<Regenaxer>
not tool long hash would be good
<Regenaxer>
so easy to check by non-specialists
<tankf33der>
sha1 is ok then
<Regenaxer>
*not too long* I mean
<beneroth>
must it be safe against malicious attackers?
<Regenaxer>
yes
<tankf33der>
attackers?
<Regenaxer>
perhaps
<Regenaxer>
generating false names, addresses
<tankf33der>
then take b2sum and switch to blacke2
<tankf33der>
blake2
<Regenaxer>
cause it is very strong?
<tankf33der>
modern and safe
<tankf33der>
very strong
<Regenaxer>
And available on Windows etc.?
<tankf33der>
its a part of gnu coreutils, should be
<Regenaxer>
Also, it should be safe in the future (quantum attacks?)
<Regenaxer>
Background:
<Regenaxer>
A database of addresses and UUIDs, which can be checked by everybody
<beneroth>
quantum = parallelism. if quantum computers with feasible power can be built - a very big if.
<tankf33der>
b2sum i found in msys, so cygwin also will work
<Regenaxer>
Users are noobs
<tankf33der>
its not safe against quantum attacks.
<Regenaxer>
ok
<beneroth>
what can be checked?
<beneroth>
input -> output
<Regenaxer>
Check is to verify that the UUID belongs indeed to that address data
<Regenaxer>
The UUID will be a global company key
<Regenaxer>
The project is supported by the Consumer Goods Forum
<beneroth>
why hash? why not just input: UUID + address -> output: bool ?
<Regenaxer>
If it works, it is planned to be a global standard to veryfy companies
<tankf33der>
then blake2b, it also support keying
<beneroth>
Regenaxer, there is a trusted authority (the operators of the central service), I assume ?
<tankf33der>
and hash length 1-64 bytes
<Regenaxer>
Everybody must be able to verify that the UUID belongs to the company data in the DB
<Regenaxer>
publicly visible
<Regenaxer>
Company A communicates with company B
<beneroth>
so like Umsatz-Steuer-ID (VAT-ID) in a national company registry, no?
<Regenaxer>
yes, exactly
<beneroth>
no magic.
<Regenaxer>
but globally
<Regenaxer>
yes
<beneroth>
why hash?
<beneroth>
in Europe we already have standardized VAT-IDs.
<Regenaxer>
To be sure the data are not tampered
<beneroth>
https. signature from the server/central authority.
<Regenaxer>
The global page holds UUID, the hash, and data
<Regenaxer>
yes, TLS cert too
<beneroth>
sounds like digital signature, like PGP, nothing to do with hashes I think ?
<Regenaxer>
But target audience are consumer goods companies
<Regenaxer>
Coca Cola, Nestle, Intel, IBM, *all*
<beneroth>
so result should be a an URL (possible as QR-Code) to be printed on products, leading to the profile website of the trader on the webserver of that central authority?
<Regenaxer>
Most important is safety of the hash, but even more easy to check
<beneroth>
Regenaxer, it sounds like a lot like the business plans of your friends in netherlands... you should maybe get them on board...
<tankf33der>
blake2b!
<Regenaxer>
haha, yes, in fact the idea is from SIM in Nethrlands
<beneroth>
WinRAR supports Blake2, so there are surely available on windows too
<Regenaxer>
I see
<tankf33der>
sha3 and blake are far beyond any sha1 family and md5.
<Regenaxer>
Ideally it should be easy on every OS, without installing anything
<beneroth>
Regenaxer, apart from the technical details, I don't get the supposed benefit. who is the main customer of that solution: traders, to get security about where their goods come from?
<tankf33der>
farmer dont have installed sha1sum.exe on their windows xp, right? :)
<Regenaxer>
We could provide an online service to calculate it
<Regenaxer>
but that must be trusted again
<beneroth>
and latency is a problem out in nowhere
<Regenaxer>
tankf33der, probably
<Regenaxer>
T
<Regenaxer>
Well, I make a PilBox
<Regenaxer>
so out in nowhere will be OK
<beneroth>
android 5+ ?
<Regenaxer>
but desktop users must be able
<Regenaxer>
yes
<Regenaxer>
5+ enough I think
<beneroth>
I doubt that out in nowhere android 5+ is enough.
<beneroth>
but yeah, depends.
<Regenaxer>
in the future
<beneroth>
out of nowhere is a pretty wide definition :)
<Regenaxer>
yeah
<Regenaxer>
The farmers usually are in a cooperative
<beneroth>
make sure to not sell yourself into a never-ending maintenance burden ;-)
<Regenaxer>
They have equipment
<Regenaxer>
No, I just make the demo :)
<Regenaxer>
or the CGF version
<Regenaxer>
*any* company can set up their own later
<Regenaxer>
and the big ones will do
<beneroth>
ok. and then you watch the oracle/java corporate drones struggling do implement your demo in their stuff ^^
<Regenaxer>
yeah, a pain, but not my prob ;)
<Regenaxer>
So lets plan blake2b? It has a future?
<tankf33der>
has.
<Regenaxer>
cool!
<Regenaxer>
Thanks!
<Regenaxer>
So what do you think of the concept in general?
<Regenaxer>
Company data + UUID
<Regenaxer>
published with a hash
<Regenaxer>
if data change, the hash will change too
<Regenaxer>
but the UUID will never change
<tankf33der>
uuid is uniq secret data ?
<Regenaxer>
To verify the UUID, go to a published page
<Regenaxer>
check the page with TLS cert and hash
<Regenaxer>
Nothing is secret in all of it
<tankf33der>
ok
<Regenaxer>
The purpose is to have a short key (UUID)
<tankf33der>
blake2b can be 1-64 bytes.
<Regenaxer>
eg. in database indexes
<Regenaxer>
ok, it is to verify the data
<Regenaxer>
the real "key" is the UUID
<Regenaxer>
Short hash would be a little better
<Regenaxer>
for humans to manually check the consistency
<Regenaxer>
TLS + UUID + data + hash
<Regenaxer>
ie. when I get an UUID, I can search for it
<Regenaxer>
find a page with address etc.
<Regenaxer>
check that page with hash to see it is the right one
<tankf33der>
and uniq.
<Regenaxer>
yes, if address, name and UUID matches
<Regenaxer>
then I know this is indeed THAT company
<tankf33der>
so UUID is already always uniq.
<Regenaxer>
The hash guarantees only that this page has not been tampered with since I saw it last time
<Regenaxer>
yes, UUID *must* be unique
<Regenaxer>
This seems guaranteed
<Regenaxer>
I use UUID.randomUUID() also in PilBox
<Regenaxer>
to identify the phones
<tankf33der>
how many bytes of hash you want to store, not 8, right?
<Regenaxer>
hmm, so 64 chars is a bit long
<Regenaxer>
yes, all
<tankf33der>
how to get correct implementation of any hash generator.
<Regenaxer>
32 would be nice, but not really important
<tankf33der>
ok
<tankf33der>
for blake2b there 3 variants: mine, monocypher, libsodium.
<Regenaxer>
Would sha256 have disadvantages?
<Regenaxer>
It seems more widespread
<Regenaxer>
and is shorter
<Regenaxer>
We must only guarantee that nobody can set up a fake page
<Regenaxer>
for that UUID
<tankf33der>
blake2 can generate shorted output.
<Regenaxer>
ah, cool
<Regenaxer>
that would be nice
<tankf33der>
any in range 1-64 bytes
<Regenaxer>
cool, so we could also go with e.g. 16
<tankf33der>
sha2 ~2002
<Regenaxer>
should have enough entropy
<tankf33der>
blake2b ~2015
<Regenaxer>
ok
<Regenaxer>
16 hex digits are enough perhaps
<tankf33der>
or 32 ? :)
<Regenaxer>
yeah, but ideally users can write them into some paper notebook privately
<Regenaxer>
for future checks
<Regenaxer>
16 or 20 are less error-prone
<Regenaxer>
Not so important atm
<Regenaxer>
can be decided later
<tankf33der>
ok
<Regenaxer>
In practice, we may even change the hash fun later
<Regenaxer>
But we must recommend something to start with
<Regenaxer>
and I provide an app
<Nistur>
mornin'
<Regenaxer>
Hi Nistur
<beneroth>
Hi Nistur
<beneroth>
Regenaxer, how does that system defend against fake companies?
<Regenaxer>
Not at all
<tankf33der>
blake2b is perfect startpoint.
<Regenaxer>
ok
<beneroth>
Regenaxer, put some version numbering into your standard data format, so you can change it later.
<Regenaxer>
right!
<Regenaxer>
Mostly for *which* data are included
<Regenaxer>
address, name, tel and most important GPS coordinates
<Regenaxer>
To check we have the company we mean
<Regenaxer>
(if that company is fake it is not our problem)
<beneroth>
how is it ensured that wrong data is not entered in your database in the first place?
<Regenaxer>
Not ensured. Companies enter their data themselves
<Regenaxer>
It must be their own interest to do it right
<beneroth>
hmm. I think malicious fake-websites or MitM-attacks will be the least of the problems of that system :P
<Regenaxer>
yes, they have another UUID so they are worthless
<Regenaxer>
And if the UUID and all data plus hash are the same, no harm is done
<Regenaxer>
The purpose is only to guarantee that the UUID is related to the same data
<beneroth>
aye. I think this is just a minor attack vector all in all, anyway.
<Regenaxer>
We must verify that *this* UUID belongs to CocaCola
<Regenaxer>
yeah, not clear how useful such an atback would be
<Regenaxer>
eg send a fake invoice
<beneroth>
yeah. but I put CocaCola UUID and stamps all over my goods, even when they are something else :)
<Regenaxer>
yes, but CocaCola will sue me
<beneroth>
if they find out.
<Regenaxer>
true
<beneroth>
if they can identify you.
<beneroth>
well the system might still be worthwhile even if its cheated somewhat.
<Regenaxer>
The UUID is needed as a unique key into databases
<Regenaxer>
You can always send fake invoices
<Regenaxer>
without UUID
<Regenaxer>
The UUID is not for security
<Regenaxer>
Only the relation to the data must be sure
<Regenaxer>
Avoid duplicates in databases
<Regenaxer>
This was the original purpose
<tankf33der>
afk.
<Regenaxer>
thanks tankf33der
_whitelogger has joined #picolisp
ubLIX has joined #picolisp
ubLIX has quit [Ping timeout: 245 seconds]
alexshendi has joined #picolisp
alexshendi has quit [Read error: Connection reset by peer]
<tankf33der>
Regenaxer: your hash will be like git”s hash on different fields of commit
<tankf33der>
every field is public, boom, uniq hash point all of them as index