Fwd: Authentication Proposal -- Solid Cookies from Timothy Holborn on 2016-02-09 (public-credentials@w3.org from February 2016)

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Tue, 09 Feb 2016 10:43:56 +0000
To: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAM1Sok3+ZiTRqMYjQTdkunC0srFkgoFEN7D9s7HaVk-8BsX6Ag@mail.gmail.com>

FYI.

---------- Forwarded message ---------
From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 9 Feb 2016 at 9:39 PM
Subject: Re: Authentication Proposal -- Solid Cookies
To: public-rww <public-rww@w3.org>, public-webid <public-webid@w3.org>


On 5 February 2016 at 12:07, Melvin Carvalho <melvincarvalho@gmail.com>
wrote:

> Alice wishes to authenticate on Bobs server.
>
>    1. Alice sends her User: identity, and (optionally) a path to a
>    "cookie". The cookie is a resource that only Bobs server and Alice have
>    access to. The contents of the resource are a typical cookie with
>    unguessable string and expiry.
>    2. Bob's server compares the string sent from the browser and the
>    string in the file. If they match access is granted.
>
>
> Any comments on this idea?
>

Ive renamed this proposal to WebID Tokens:

<https://gist.github.com/melvincarvalho/423100dcfac9d19677b8#webid-tokens-was-solid-cookies>WebID
Tokens (was Solid Cookies)

After getting a 4xx from https://bob.databox.me/<resource> Alice posts a WebID
token to :

1. https://alice.databox.me/profile/tokens/<random>
  <> a :Token ;
  :origin https://bob.databox.me/ ;
  :value random .

2. Alice sends a request to https://bob.databox.me/<resource>
  Token-Location: https://alice.databox.me/profile/tokens/<random>
  User: https://alice.databox.me/profile/card#me
  token: <random>

3. Bob checks https://alice.databox.me/profile/tokens/<random>
   matches the WebID token of so auth is successful else 4xx

<https://gist.github.com/melvincarvalho/423100dcfac9d19677b8#notes>Notes

   - periodically tokens can be managed or deleted or have an expiry

<https://gist.github.com/melvincarvalho/423100dcfac9d19677b8#extensions>
Extensions

   - tokens could be signed
   - instead of a shared secret PKI could be used
   - additional information can be put in the tokens to be used by both
   parties

<https://gist.github.com/melvincarvalho/423100dcfac9d19677b8#security-considerations>Security
Considerations

   - token directory should not be public readable
   - By delegating verification in this way it produces a largely
   undetectable backdoor where a server can impersonate a WebID
   - It is desirable that the verifier has confidence the token resource is
   only writable by Alice or Mallory could imperonate her. Ideally server
   should verify alice wrote the file, if it's not obvious or signed


https://gist.github.com/melvincarvalho/423100dcfac9d19677b8

Received on Tuesday, 9 February 2016 10:44:41 UTC