- From: Yunus Durmuş <yunus@yanis.co>
- Date: Wed, 30 Jan 2013 15:46:26 +0100
- To: public-webid@w3.org
- Message-ID: <CAP_smC=9k8nC7oS344dM80SsVTWQc4FXpcKr9weuk6uTvoaoWA@mail.gmail.com>
Hi, The integrity of a PKI certificate is checked by the signature of the CA. If the certificate of the CA is missing in the chain then we can use the WebID authentication (if the certificate involves a WebID URI). However, since we do not trust the CA, we cannot trust the signature either. As a result, we may authenticate a certificate owner by employing WebID authentication, but we cannot be sure of the integrity of the certificate. Does WebID handle integrity in a different way? *Detailed explanation is as follows:* I am converting EAP-TLS wifi authentication to allow webid authentication and authorization. I use Hostapd opensource software and hostapd uses openssl. When openssl cannot authenticate a certificate, it calls a "verify_callback" method and in which I place webid authentication. Openssl calls the verify_callback method for every error of a certificate in case we may want to apply different security measures. Anyway, if the certificate is self-signed, I get error 18 (self-signed error) and continue with Webid. However, if I use a certificate signed by a website, let's say from my-profile.eu, it raises three errors: *27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted* the root CA is not marked as trusted for the specified purpose. *20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate* the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. *21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate* no signatures could be verified because the chain contains only one certificate and it is not self signed. Since the signature of the certificate is created by using private key of my-profile.eu and my-profile is not in the certificate chain, openssl warns me about the above problems. Normally, I was ignoring those and keep going with WebID. However, I realized that error #21 can lead to a man-in-the-middle attack since we are not checking the integrity of the certificate. Best Regards yunus
Received on Wednesday, 30 January 2013 21:54:24 UTC