Re: [foaf-protocols] WebID status recap? from Melvin Carvalho on 2013-07-02 (public-webid@w3.org from July 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 2 Jul 2013 15:30:07 +0200
To: peter williams <home_pw@msn.com>
Cc: Stéphane Corlosquet <scorlosquet@gmail.com>, Henry Story <henry.story@bblfish.net>, "foaf-protocols@lists.foaf-project.org" <foaf-protocols@lists.foaf-project.org>, public-webid Group <public-webid@w3.org>
Message-ID: <CAKaEYhL1mgp+XTe6ZN9513z4PZA--FO2EkwhY4VibJu9WAbM5w@mail.gmail.com>

On 2 July 2013 15:07, peter williams <home_pw@msn.com> wrote:

> Why the focus on that tls spec? It focuses on an applied variant of
> channel bindings tokens (that more generally address non-detection of
> cert-based mitm).
>

TLS was historically the first working solution to WebID Authentication.
So that was the first spec written, and the first implementations.  It's
only in the last year that WebID Identity and Auth were split so that makes
things more modular now.


>
> I thought webid made the assumption that states and corporations dont
> engage in such activities (perhaps as ordered, in the case of large
> corporations) and thus such vulnerabilities are just "defined" as out of
> scope for webid?


One advantage of using x.509 certs is that when putting our identity
inside, you dont need to do any typing or clicking buttons.

In terms of security TLS has known weaknesses, I think the spec has
security considerations section


>
> Stéphane Corlosquet <scorlosquet@gmail.com> wrote:
>
>
>
> On Fri, Jun 14, 2013 at 5:34 AM, Henry Story <henry.story@bblfish.net>wrote:
>
>>
>> On 13 Jun 2013, at 22:31, Henry Story <henry.story@bblfish.net> wrote:
>>
>> > Yes, we have two specs:
>> >
>> > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
>> > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html
>> >
>> > I am not sure why we don't get the full html view anymore.
>> > Anyone know what we need to change?
>>
>> I fixed these. The problem is related to the move to the new
>> respec.js https://github.com/darobin/respec/
>>
>> It no longer allows one to add spec refs to the js as one used
>> to be able to
>>
>> see diff https://dvcs.w3.org/hg/WebID/rev/7f01174c75b0
>>
>> So the TLS spec now is missing two references
>>
>> [[
>>   berjon.biblio["RFC5746"] = "E. Rescorla, M. Ray, S. Dispensa, N. Oskov,
>>  <a href=\"http://tools.ietf.org/html/rfc5746\"><cite>Transport Layer
>> Security (TLS) Renegotiation Indication Extension</cite></a> February 2010.
>> Internet RFC 5246. URL: <a href=\"http://tools.ietf.org/html/rfc5746\">
>> http://tools.ietf.org/html/rfc5746</a> ";
>>
>>   berjon.biblio["WEBID"] =  "Andrei Sambra, Stéphane Corlosquet. <a href='
>> https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html'
>> ]]
>>
>> Any idea how one can get those added to the code using the new specref?
>>
>
> I've fixed that with [1]. The updated TLS document doesn't show errors now
> [2].
>
> Steph.
>
> [1] https://dvcs.w3.org/hg/WebID/rev/49894597ee18
> [2] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
>
>

Received on Tuesday, 2 July 2013 13:30:35 UTC