Mastodawn

Approximately 15 months after submittng FoI requests for the UK Railway's Barcoded Ticketing specifications, I've just managed to settle the appeal on the cases (on a Saturday of all days).

So, presenting for your reading enjoyment, some PDFs that the Government really didn't want me to get until the last minute: https://magicalcodewit.ch/rsp-specs/

Rail Settlement Plan Barcode Specs

The specifications for UK Railway Barcoded Tickets, provided under the Freedom of Information Act.

Barry Rowlingson Feb 28

@q I wonder what Edmondson would think... https://en.wikipedia.org/wiki/Edmondson_railway_ticket

Edmondson railway ticket - Wikipedia

@q you can’t do this to us on a weekend /lh

but congratulations! and thank you!

210561 ✨ [Q]Feb 28

@kuriko look, I didn’t expect to get emails from lawyers on a weekend either!

@q lawyers… on a weekend… that is indeed a rare scene

i thought they would not law on weekends

@kuriko @q commit your crimes outwith business hours everyone

Bernard Quatermass Feb 28

@q @kuriko end of calendar month deadlines

210561 ✨ [Q]Mar 1

@QuatermassTools @kuriko the court’s deadline was in 7 days

@q Why weren't these specifications publically available? Or, perhaps a better phrasing, what was the UK's excuse for not making these freely available?

210561 ✨ [Q]Feb 28

@boggin publishing them would enable fraud

@q Sounds like the classic DVD Jon argument, security by obscurity. Now it bites them.

Oliver Blanthorn Feb 28

@q yeah. fraudsters will now know that barcodes are pure black and white. they'll be able to bypass visual inspection trivially now

Sebastian Crane 🏳️‍⚧️Feb 28

@bovine3dom @q @boggin little known fact: a pink-on-white barcode allows you to have the driver's seat, valid via any permitted route refundable and exchangeable for a fee

Dr. Sobek Feb 28

@q Incredible, congrats !!!!

Mike Spooner Feb 28

@q Wild!

"using the Digital Equipment Corporation 6Bit character set"

Guillaume Endignoux Feb 28

@q Re RSPS3001: Maybe it was too embarrassing that this standard uses RSA 1024, truncates a SHA-256 to only 8 bytes, and uses a custom way of RSA encryption of the plain data with the private exponent as a form of signing? 🤔

210561 ✨ [Q]Feb 28

@gendx the last part (signing with encryption) is exactly how bog standard RSA signatures work

Guillaume Endignoux Feb 28

@q Aren't you supposed to at least hash the input message though? i.e. `signed_message = M || Enc(H(M))` rather than `Enc(custom_encoding(M))`?

The standard itself says that it's not quite PKCS#7 and that "some libraries may not provide the ability to encrypt [this way]" which didn't seem to bother those writing the spec. 🤔

210561 ✨ [Q]Feb 28

@gendx there is a hash, of 8 bytes. yeah its not great, but neither is it catastrophic. if someone messed up the verifier in any number of ways though it’s insecure.

snowyfox Feb 28

.

@q physical layout of the elements on a ticket set only in table without single image of actual layout is just 😙🤌 hugs to people who had to draw from this

@q @revk Good job sticking with it!

CraftByte Mar 1

@q I am waiting for the storm of emails for public keys to the TIS accreditation email

210561 ✨ [Q]Mar 1

@anze Especially after posting it on RailUK Forums

R Tyler Croy 🦀Mar 9

@q I hope you don't mind, but I uploaded these to Scribd for good measure

https://www.scribd.com/document/1010042061/Interoperable-Barcode-Ticketing-Code-of-Practice
https://www.scribd.com/document/1010042060/Ticketing-Specification-Ticket-Version-05-02
https://www.scribd.com/document/1010042058/Barcode-Presentation-Key-Management-and-Data-Specification-Version-02-03

This was sitting in my queue since you shared originally, thanks for liberating this information!

Interoperable Barcode Ticketing — Code of Practice | PDF | Barcode | Public Key Cryptography

The specifications for UK Railway Barcoded Tickets, provided under the Freedom of Information Act. Courtesy of Q

Scribd