[drupal-devel] Contract Module
Hello World, Just wanted to run an idea past a few of you for a possible contrib. module for Drupal. I do freelance design work for people all around the world, and the major problem I find is that there is no way to 'sign off' on the work I am asked to do. What I propose is a 'contract' module. Using this, a specialised node, accessible only to select users (the creator of the node, and any other person involved in 'authentication' of the work) would be created. This presumes that the other parties involved are members of the Drupal site, but I feel that is a small requirement/ dependency. Then, all parties (including the node creator) would digitally sign the node (or... its attached file). I imagine the use of MD5, or SHA-1, as they are quite standard (maybe MD5, as it is already used by Drupal). I think that ALL parties should sign it because the client or the employer (node creator) may wish to change things, or, re-read the contract/ agreement. This is how I see the process: document being signed -> hash function -> hash of document -> private key (users password) -> encrypt file -> digital signature. This would be done for each party involved. Like the attachments are shown currently, the module could also show who has signed the document. Notification could also be given to ALL parties when the document has been signed by everyone. I know nothing of the processes used to do this, so if I am wrong, or there is a better way to do this, I would really appreciate it. I'd also love your feedback. I really need this module, but unfortunately don't have the coding experience to make it happen, so, after the details have been sorted out, I will post a bounty for it's development. I would then release it under GPL, back to Drupal of course :P -- Kind Regards, Nathan Wheatley
On Jun 6, 2005, at 10:40 PM, Nathan Wheatley wrote:
Hello World,
Just wanted to run an idea past a few of you for a possible contrib. module for Drupal. I do freelance design work for people all around the world, and the major problem I find is that there is no way to 'sign off' on the work I am asked to do. What I propose is a 'contract' module.
Using this, a specialised node, accessible only to select users (the creator of the node, and any other person involved in 'authentication' of the work) would be created. This presumes that the other parties involved are members of the Drupal site, but I feel that is a small requirement/ dependency.
Then, all parties (including the node creator) would digitally sign the node (or... its attached file). I imagine the use of MD5, or SHA-1, as they are quite standard (maybe MD5, as it is already used by Drupal). I think that ALL parties should sign it because the client or the employer (node creator) may wish to change things, or, re-read the contract/ agreement.
This is how I see the process: document being signed -> hash function -> hash of document -> private key (users password) -> encrypt file -> digital signature.
This would be done for each party involved. Like the attachments are shown currently, the module could also show who has signed the document. Notification could also be given to ALL parties when the document has been signed by everyone.
I know nothing of the processes used to do this, so if I am wrong, or there is a better way to do this, I would really appreciate it. I'd also love your feedback.
I really need this module, but unfortunately don't have the coding experience to make it happen, so, after the details have been sorted out, I will post a bounty for it's development. I would then release it under GPL, back to Drupal of course :P
This is a great idea. I am not sure how much effort you want to put into this but I would suggest you do some reading on Sense and Respond business models. The short of it is that businesses are designed to build big structures and optimize their processes. But now they need to focus on rapid adaptation and tools like this are exactly what they need. I tried to get a project funded to do this with Instant Messaging at IBM a few years ago but it didn't happen. But the idea of adaptive micro contracts in a distributed online community is truly innovative and worth doing. Let me know if you want to chat. Cheers, Kieran
-- Kind Regards, Nathan Wheatley
On Tuesday 07 June 2005 08:40, Nathan Wheatley wrote:
MD5, or SHA-1 [...] (MD5 [...] used by Drupal)
Isn't SHA-1 more secure than MD5? MD5 is 128bit but SHA-1 is 160bit. I think both are crackable today, but MD5 is more well-known and therefore an easier target for cracking. I recently had to choose between MD5 and SHA1 for an application, and I chose SHA-1. -- NSK http://portal.wikinerds.org
On Jun 7, 2005, at 3:25 PM, NSK wrote:
On Tuesday 07 June 2005 08:40, Nathan Wheatley wrote:
MD5, or SHA-1 [...] (MD5 [...] used by Drupal)
Isn't SHA-1 more secure than MD5? MD5 is 128bit but SHA-1 is 160bit.
I think both are crackable today, but MD5 is more well-known and therefore an easier target for cracking. I recently had to choose between MD5 and SHA1 for an application, and I chose SHA-1.
It's time dependent. Just because something CAN be cracked doesn't mean it will for the application. So if you want a password for a bank you use something that's harder. If you are hashing for instant messages that will read inside of 5 seconds then MD5 isn't going to be broken in that timeframe. I've yet to hear of MD5 being casually exploited for simple end user applications. Cheers, Kieran
-- NSK http://portal.wikinerds.org
On 08/06/2005, at 8:53 AM, Kieran Lal wrote:
On Jun 7, 2005, at 3:25 PM, NSK wrote:
On Tuesday 07 June 2005 08:40, Nathan Wheatley wrote:
MD5, or SHA-1 [...] (MD5 [...] used by Drupal)
Isn't SHA-1 more secure than MD5? MD5 is 128bit but SHA-1 is 160bit.
I think both are crackable today, but MD5 is more well-known and therefore an easier target for cracking. I recently had to choose between MD5 and SHA1 for an application, and I chose SHA-1.
It's time dependent. Just because something CAN be cracked doesn't mean it will for the application. So if you want a password for a bank you use something that's harder. If you are hashing for instant messages that will read inside of 5 seconds then MD5 isn't going to be broken in that timeframe.
I've yet to hear of MD5 being casually exploited for simple end user applications.
Cheers, Kieran
-- NSK http://portal.wikinerds.org
I think any one is fine. Everything can be broken if time permits. I would just like a more secure form of agreement between myself and the client, other than an email saying 'go ahead'. That could be anyone sending that email. And, I understand that anyone could obtain the clients Drupal username/ password pair, then use their password (even a new one) as the private key to digitally sign the document, but the chances of someone else doing this are dramatically reduced (IMO). Also, if that process is used to SIGN the document, it has much more legal standing than the perviously mentioned email. Kieran, I would love to hear more of what you have to say about this. Drop me a line at [nathan@skoap.com]. Or, just continue in the list. That is what it is used for. Either way, I don't mind. Anyone interested in working on this? That is my next question. I want this puppy on the production line ASAP.
participants (3)
-
Kieran Lal -
Nathan Wheatley -
NSK