W3C home > Mailing lists > Public > public-rww@w3.org > July 2012

Delegated Auth, Certificate Not Present, etc

From: Nathan <nathan@webr3.org>
Date: Thu, 05 Jul 2012 16:14:00 +0100
Message-ID: <4FF5AF38.3070804@webr3.org>
To: Read-Write-Web <public-rww@w3.org>
Hi All,

Just some brain storming on both delegated auth, and how to allow auth 
via username+password when a certificate isn't present (e.g. in an 
internet cafe)

On Delegated Auth*
===============================
Problem: Some Agent <a> would like to allow another agent <d> to make 
requests on it's behalf.

Requirements:

Verify identity of <d>
  - already handled by WebID

Specify the <d> is making a request on behalf of <a>
  - use an "On-Behalf-Of: <a>" header.

Verify that owner of <a> holds the private key correlating to the public 
key found in the profile
  - private key sign or encrypt string "<a>" within the profile found at <a>

Specify that <a> allows <d> to act on it's behalf:
  - specify this in <a>s profile, for example
   { <a> :delegates [ :agent <d> ] . }

(optional) Verify that <a> allows <d> to act on it's behalf:
  - private key sign or encrypt the string "<d>" and add it to the 
profile found at <a>, for example:
   {
     <a> :delegates [
       :agent <d>;
       :verify "XKZ...DhA=="^^xsd:base64Binary ] .
   }

(optional) Specify that <a> allows <d> bearing public key PKD to act on 
it's behalf:
  - include the public key of <d> in the profile of <a>, for example:
   {
     <a> :delegates [
       :agent <d>;
       :verify "XKZ...DhA=="^^xsd:base64Binary;
       [
         a rsa:RSAPublicKey;
         cert:identity <d>;
         rsa:modulus  [ cert:hex "FD..847" ];
         rsa:public_exponent [ cert:decimal "65537" ]
       ]
    ] .
   }

(additional) Specify that <a> allows <b> to act on it's behalf for 
purpose P:
  - perhaps specify using ACL permissions and the resource <r> that <d> 
allowed access to
notes: how to keep this info private? very similar to oauth2 "<d> is 
requesting permission to Read(+Write) to your info at <r>.


On Certificate Not Present:
===============================
Problem: how to authenticate with service <s> as agent <a> when 
certificate is not present in the browser

Possible solution, pass <a> and a password to <s>.

Requirements:

Verify that the agent <a> authorizes the password "pass" and holds the 
private key related to the public key found in the profile at <a>.
- specify a signature of "pass" in the profile at <a>, for example:
  {
    <a> :cnp [
      :password-signature "URP...XhF=="^^xsd:base64Binary;
    ]
  }
notes:
  - <s> can verify password by doing a openssl_verify("pass", 
$passwordSignature, $publicKey);
  - one password for all services, a bit insecure but works
  - allows service <s> to then pretend to be <a> since same pass for all 
services


Verify that the agent <a> authorizes the password "pass" for use ONLY on 
service <s>, and holds the private key related to the public key found 
in the profile at <a>.
- specify a signature of the concatenation ("pass" + ";" + "<s>") in the 
profile at <a>, for example:
  {
    <a> :cnp [
      :service <s>;
      :password-signature "URP...XhF=="^^xsd:base64Binary;
    ]
  }
notes:
  - <s> can find password
  - single password per service, password can't be reused by <s> for 
other services


Hope that all makes sense to somebody other than me! I'm sure there are 
bits I've missed, but it's just some notes on how I'd probably approach 
the problems currently being discussed.

Best,

Nathan
Received on Thursday, 5 July 2012 15:14:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 5 July 2012 15:14:45 GMT