Re: Extending the WebID protocol with Access Delegation from Henry Story on 2012-08-17 (public-webid@w3.org from August 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 17 Aug 2012 21:55:22 +0200
To: Olivier Berger <olivier.berger@it-sudparis.eu>
Cc: "public-webid\@w3.org" <public-webid@w3.org>, Read-Write-Web <public-rww@w3.org>
Message-Id: <BA57BF86-A275-47CA-9A2E-E141B09C7046@bblfish.net>

On 17 Aug 2012, at 10:35, Olivier Berger <olivier.berger@it-sudparis.eu> wrote:

> Hi.
> 
> 
> Henry Story <henry.story@bblfish.net> writes:
> 
>> Of interest to both RWW and WebID group:
>> 
>> Sebastian Tramp, Andrei Sambra, Philip Frischmuth, Michael Martin, Sören Auer and I have submitted a paper entitled "Extending the WebID protocol with Access Delegation"  for the ISCW 2012, 3rd International Workshop on Consuming Linked Data
>> 
>>   http://bblfish.net/tmp/2012/08/05/WebID_Delegation.pdf
>> 
>> The paper has not been accepted yet, and the review process will very likely allow us to revise parts of it. But the review process can start here already. Feedback, ideas and implementations are welcome :-)
>> 
>> More pointers on the wiki
>> 
>>   http://www.w3.org/wiki/WebID/Authorization_Delegation#External_pointers
>> 
> 
> Thanks for sharing this preprint.
> 
> I have a concern I'd like to share with you about the security of the
> protocol. I'm not a security expert, so I hope you can correct me ;-)
> 
> 
> In the basic WebID auth protocol, the "physical presence" of the agent
> connecting is the validation of the TLS negociation when the client cert
> is submitted, which relies on the user "owning" the private key of the
> credential passed to the server (which relies on the security of the
> browser key cert and likes).
> 
> So everytime an agent uses her WebID, you can "trust" that she's really
> acting in person more or less.
> 
> Now, let's suppose that that agent delegated her auth to a secretary
> hosted on another server than her's which gets eventually cracked.
> 
> So let's say we have :
> <http://freedombox.alice.com/alice#me> 
>  :secretary <http://freedombox.p0wned.com/secretary#me>.
> 
> the freedombox.p0wned.com system is in control of anyone but Alice, now,
> and any WebID cert can replace that of the original secretary's.
> 
> There's no need for the servers to detect that a spammer pretending acting
> On-Behaf-Of http://freedombox.alice.com/alice#me is no longer in control
> of Alice.
> 
> I think there may be a possibility harden this a bit if we add an
> additional requirement that the secretary's WebID is "signed" by her
> owner's cert, or that the owner declares the secretary's cert's public
> key in addition to her own's.

That is what section 3.2 argues. It seems like one can relax it if the secretary's
webid comes from the same Origin server, so that they don't need the same key.



> 
> Now we would have :
> <http://freedombox.alice.com/alice#me> 
>  cert:key [...];
>  :secretary <http://freedombox.p0wned.com/secretary#me>;
>  :secretary_key [...]
> 
> Anyone getting control of the freedombox.p0wned.com could still make use
> of the delegated WebID at will, of course, but it would be harder to
> trick the DNS system to just act as a man in the middle.
> 
> What's your opinion ?
> 
> -- 
> Olivier BERGER 
> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
> Ingenieur Recherche - Dept INF
> Institut Mines-Telecom, Telecom SudParis, Evry (France)

Social Web Architect
http://bblfish.net/

Received on Friday, 17 August 2012 19:55:55 UTC