Javascript cool feature of the day: on Browser Ready
I have a nice little one-liner script you can use in your HMTL page to run some a function when the browser is done loading the HTML.
I have been using this cool little snippet for a while, something I factored down for my own purposes, and tucked away in my little bag of tricks. I didn't realize that others' were not using something similar to this, (I saw a spate of posts where people were using document.write)[SHUDDER!]. So, I'm going to post it, and let the world rejoice:
var _my_init = document.addEventListener ? document.addEventListener("DOMContentLoaded", function(){myinit();}, false): setInterval( function(){if (/loaded|complete/.test( document.readyState )){ clearInterval(_my_init);myinit(); } }, 10);
Works in IE, FireFox, and Safari. Probably others, as I think most browsers support one of the two methods for bootstrapping an init function.
To use it, just replace the two myinit() calls with whatever you want to run, and the replace the _my_init variables to something that'll be unique to you. I'd comment on my crazy desire to overload the living tar out of the ternary operator in javascript, but that'd be redundant.
 |
|
| |
I hacked RSA
Working with security and cryptography every day, I keep looking at the interactions that I do in real life, and try to visualize how that is keeping my identity secure, yet providing the required information to the parties that legitimately needing it. Pretty much doing it the same way we try to figure out how to make CardSpace safe for everyone to use wherever they choose. I then come across real-world security opportunities that make me shudder.
I got to San Francisco on Sunday morning, and went to the conference center to get my badge. There were quite a few mails going around the staff going to RSA as to who would get the expo conference passes and who get the exhibitor passes. I needed early access to the floor, so right near the end of last week, it was decided that I'd get one of the exhibitor passes which let me go in where I needed to.
When I got to the check-in, I went to the laptops that were set-up to look up my registration, and found out that I wasn't registered. No problem, I just went to the badge booth, and explained that I was a Microsoft employee and I was supposed to have a exhibitor pass. I handed the person in the booth a business card, and they added me in right there. No picture ID, no verification whatsoever. Just a business card, and a smile.
I successfully authenticated to the RSA conference with a self-issued credential, and was granted instant access. Pretty odd for a security conference. Now, it has been pointed out to me, that with my hat, and my story, that they probably thought I couldn't possibly be an imposter. But isn't that the point? How can they know? Where is the verification? Shouldn't they have asked for at least picture ID?
Last September, I went to DIDW in Santa Clara. Nice conference. When I picked up my conference pass, I just had to give my name. No ID check there either. At an IDENTITY CONFERENCE. Bill Barnes and I were quite boggled at that obvious lack of authentication there too.
I've decided, next conference, I'm going as Kim Cameron.
|
|
|
| |
What is the “Master Key” that is used to create the key-pair and PPID?
James Manger asks a couple of pertinent questions, considering my last post on PPIDs:
What is the “Master Key” that is used to create the key-pair and PPID? Could you
explain this process?
Whoa! You might as well ask what's in them sausages you just ate...
Seriously, the Master key is a posse' of bytes that we use to seed the entropy for creating the PPID and the private/public key-pairs.
The Master Key is generated by the CardSpace built-in STS when you create a personal card, and is stored with the rest of the data in the cardstore. It is the only peice of data in the card that the user doens't have control over.
I don't have the exact algorithm in my hands (I'm at the RSA Conference in San Francisco!), but I'll post it when I get back. If I recall correctly, it's kina along the same lines as GUID generation (takes a bunch of different data bits) and corrals them together to generate a stream of bytes.
I always like it when people ask questions about CardSpace's implementation, the cryptography behind it or really, any other security questions... It reminds me of somethin' my pappy told me...
"Always take a good look at what you're about to eat. It's not so important to know what it is, but it sure is crucial to know what it was." That kind of advice works really well for security, just as it did for those odd-tastin'' sausages we barbeque'd up that night.
Labels: CardSpace, fearthecowboy, PPID
|
|
|
| |
