Re: Verifying WebID fails from Kingsley Idehen on 2017-06-28 (public-webid@w3.org from June 2017)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 28 Jun 2017 10:16:36 -0400
To: Martynas Jusevičius <martynas@atomgraph.com>, public-webid@w3.org
Message-ID: <e0f89842-9619-22f6-3db2-3571ec0c223f@openlinksw.com>
On 6/27/17 8:44 PM, Martynas Jusevičius wrote:
> Kingsley,
>
> I am implementint WebID authentication in our software, and key
> mismatch is a real scenario.
>
> Can you show me where in the spec it is addressed?

Martynas,

Your comments are confusing. 

Are you speaking of the WebID+TLS protocol which is basically a
TLS-handshake extension that uses a WebID lookup (using value of SAN
attribute in an X.509 Cert)  to locate a Public Key in a WebID-Profile
document? If not, then we are not speaking about the same thing, and as
a result not communicating effectively.

Terms:

1. WebID -- HTTP URI that identifies an Agent and adheres to Linked Data
principles
2. WebID-Profile Document -- a collection of RDF statements in an RDF
document that describe an Agent identified by a WebID
3. WebID+TLS -- TLS handshake extension that matches Public Keys in an
X.509 cert and a WebID-Profile document by way of WebID de-reference
4. WebID+TLS+Delegation -- adds an additional lookup route to #3 via
acl:delegates relation

Kingsley
>
> On Wed, 28 Jun 2017 at 02.04, Kingsley Idehen <kidehen@openlinksw.com
> <mailto:kidehen@openlinksw.com>> wrote:
>
>     On 6/27/17 6:33 PM, Martynas Jusevičius wrote:
>     > Hi,
>     >
>     > I think there is another case where failure scenario is not
>     defined in
>     > protocol: verifying the WebID.
>     >
>     > What happens if the certificate key does not match the WebID
>     key? None
>     > of the verification steps or sections seem to consider that. I
>     suggest
>     > again that a 400 Bad Request should be returned.
>     >
>     > I think it is important for the protocol to handle failures if
>     we want
>     > robust implementations.
>     >
>     > Is this group active enough to fix such issues?
>     >
>     >
>     > Martynas
>
>
>     Hi Martynas,
>
>     What do you mean by Certificate Key? Are you referring to the
>     Public Key
>     component of an X.509 Certificate?
>
>     Bearing in mind that WebID+TLS isn't new, are there are
>     implementations
>     out in the wild, wouldn't it be better if you started off by testing
>     authentication of your WebID against existing implementations?
>
>     You might also find the YouID browser extension we built interesting
>     since its sole purpose is simplification of WebID+TLS and/or
>     WebID+TLS+Delegation protocol usage (e.g., negating the UX headache
>     introduced by browsers when toggling WebIDs over and existing TLS
>     session) [1].
>
>     You can try:
>
>     [1] http://linkeddata.uriburner.com/sparql -- click on "login" button
>
>     [2] http://osdb.openlinksw.com -- click on the "login" button
>
>     [3] http://id.myopenlink.net/ods/webid_demo.html -- most basic
>     WebID+TLS
>     authentication tool we have
>
>     Links:
>
>     [1]
>     https://medium.com/openlink-software-blog/simple-youid-browser-extension-usage-exercise-57fa3ff6c6b7
>     -- Simple YouID Browser Extension Usage Exercise.
>
>     --
>     Regards,
>
>     Kingsley Idehen
>     Founder & CEO
>     OpenLink Software   (Home Page: http://www.openlinksw.com)
>
>     Weblogs (Blogs):
>     Legacy Blog: http://www.openlinksw.com/blog/~kidehen/
>     <http://www.openlinksw.com/blog/%7Ekidehen/>
>     Blogspot Blog: http://kidehen.blogspot.com
>     Medium Blog: https://medium.com/@kidehen
>
>     Profile Pages:
>     Pinterest: https://www.pinterest.com/kidehen/
>     Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
>     Twitter: https://twitter.com/kidehen
>     Google+: https://plus.google.com/+KingsleyIdehen/about
>     LinkedIn: http://www.linkedin.com/in/kidehen
>
>     Web Identities (WebID):
>     Personal: http://kingsley.idehen.net/dataspace/person/kidehen#this
>             :
>     http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
>
>

-- 
Regards,

Kingsley Idehen       
Founder & CEO 
OpenLink Software   (Home Page: http://www.openlinksw.com)

Weblogs (Blogs):
Legacy Blog: http://www.openlinksw.com/blog/~kidehen/
Blogspot Blog: http://kidehen.blogspot.com
Medium Blog: https://medium.com/@kidehen

Profile Pages:
Pinterest: https://www.pinterest.com/kidehen/
Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
Twitter: https://twitter.com/kidehen
Google+: https://plus.google.com/+KingsleyIdehen/about
LinkedIn: http://www.linkedin.com/in/kidehen

Web Identities (WebID):
Personal: http://kingsley.idehen.net/dataspace/person/kidehen#this
        : http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Wednesday, 28 June 2017 14:17:06 UTC