- From: Yunus Durmuş <yunus@yanis.co>
- Date: Sun, 23 Nov 2014 14:07:24 +0100
- To: "henry.story@bblfish.net" <henry.story@bblfish.net>
- Cc: Yunus Durmuş <yunus@yanis.co>, public-webid <public-webid@w3.org>
- Message-ID: <CAP_smCknR4mw+DaVsR-_s2dtKdaytZ-oHZR=2WbmwfgZG-hNEA@mail.gmail.com>
On Fri, Nov 21, 2014 at 6:30 PM, henry.story@bblfish.net < henry.story@bblfish.net> wrote: > > On 21 Nov 2014, at 12:29, Yunus Durmuş <yunus@yanis.co> wrote: > > Hi everyone, > > These days, RAW public keys (RFC-7250 <http://tools.ietf.org/html/rfc7250>) > are being pushed for tiny constrained devices. As the name suggests, > instead of an X509 certificate, only the public key is transferred nothing > else -even the identity and signature-. The motivation behind is that there > will be less bits on the wire and there won't be any need for certificate > parsing/validation code. > > > Seems like an interesting idea. > > > Then the question is how can we transfer the magic URI for the WebID > protocol? We can embed the uri in the messages of DTLS (Datagram-TLS) or > we can attach it to the end of public key. However, there won't be a > certificate signature that verifies the integrity of the URI. > > > Do you consider it as a serious problem? With a man in the middle attack, > the URI can be altered, which results in a DOS attack. But, to me, it is > the same as changing the X509 certificate on the wire with a new one. > > > if you look at the sequence diagram in WebID TLS > > > http://www.w3.org/2005/Incubator/webid/spec/tls/#authentication-sequence > > In 1) the TLS setup is done using the server certificate > from then on all communication is secured. > > 4) then happens over a secured connection. > > How does a man in the middle attack take place? > That's good news. If the RAW public key+URI is transmitted over a secure channel, then an adversary cannot deploy a man in the middle attack. --yunus > > Henry > > > best > --yunus > > > Social Web Architect > http://bblfish.net/ > >
Received on Sunday, 23 November 2014 13:08:14 UTC