foaf+ssl was: XAuth critiques

John Kemp john at jkemp.net
Tue Jun 8 21:07:16 UTC 2010


Hi Henry,

On Jun 8, 2010, at 4:30 PM, Story Henry wrote:

> 
> On 8 Jun 2010, at 22:18, Eddy Nigg (StartCom Ltd.) wrote:
> 
>> 
>> On 06/08/2010 08:47 PM, From Story Henry:
>>> You DON't need to export the certificate! You just create a new one: it's a one click procedure!  
>> 
>> Doesn't that defeat the purpose and protection of using digital certificates in first place?
> 
> No. 
> 
> That's the trick of foaf+ssl: we do not rely on Certificate Authorities to vouch for the client. The certificates can be either self signed, or signed by some unknown CA. 
> 
> The trick used is the same as the one used by OpenID. ( In fact OpenID inspired much of what is behind Web ID. ) The SSL connection lets the server know that the client has the private key of the public key sent in the X.509 certificate. Because the X.509 certificate also contains the Web ID (in the subject alternative name position), the server can do an HTTPS get on the WebID and if the public key matches there, Identity is proven.
> 
> So we do change the server SSL/TLS proof method. I have put this past a lot of security experts in the past year, and we have implementations in most major languages. If you can see a problem

I see only the same problem I saw (and reported to you) 2 years ago - which is that for all the cryptography involved, it still seems possible for an individual to self-assert that they have a WebID and that it is linked to some certificate and private/public key. Which is to say, why bother with all the crypto if a user can self-assert his or her WebID and FOAF file anyway? 

OpenID relies on an OpenID provider "vouching" that a particular URI is "owned" by some user for whom the OpenID provider has an account. You could also run your own OpenID provider and self-assert that way. And the question is whether that is a particularly interesting thing to do in a Web context (as we self-assert all the time without any special protocols needed and it works fine for many things without new techniques, systems or other technology). 

Regards,

- johnk

> it may be worth going over to the foaf-protocols mailing list
> 
>   http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
> 
> Henry
> 
> 
>> 
>> Regards
>> Signer: 	Eddy Nigg, COO/CTO
>> 	StartCom Ltd. <http://www.startcom.org>
>> XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
>> Blog: 	Join the Revolution! <http://blog.startcom.org>
>> Twitter: 	Follow Me <http://twitter.com/eddy_nigg>
>> 
>> 
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs



More information about the specs mailing list