Re: WebID security picture from Mo McRoberts on 2011-04-08 (public-xg-webid@w3.org from April 2011)

From: Mo McRoberts <Mo.McRoberts@bbc.co.uk>
Date: Fri, 8 Apr 2011 11:44:04 +0100
To: Henry Story <henry.story@bblfish.net>
Cc: WebID XG <public-xg-webid@w3.org>
Message-Id: <A3942EBD-E77F-444D-9E44-91E8BA73A33C@bbc.co.uk>
On 8 Apr 2011, at 11:11, Henry Story wrote:

> Indeed, we do not deal with confirming the other details in the WebID Profile. Consider that every fact requires different types of verification. 
> 
> 1. To prove that the owner of the cert is the owner of the cert, you use cryptography to prove he has the private key. 
> 2. To prove that he is identified by the WebID you use the WebID protocol (you check the profile)
> 
> Proving the rest of the foaf is undetermined. But there are many policies you can use, depending on the degree of security you need. One such policy would be to assign a certain level of trust to people known to friends of yours. You use your friends as filters on what other people say about themselves. 

Yes, this is fine — the rest of the FOAF is just sets of statements, any of which may or may not be true. My name might be Mo McRoberts, it might not be. My FOAF may or may not say the same thing…

In this context, there's one specific part of that FOAF we're interested in, and that's the relationship described in that document between the subject and the certificate. we have on the one side a very strong assertion -- “I hold the certificate” (because the crypto deals with that for you) -- but beyond that it's much weaker -- “this is my subject URI, and the document published at that URI will confirm that”.

>> Consider an attacker who wishes to impersonate you, and has gained access to the [untrusted] server where your RDF is published.
> 
> In that case your security has been breached.

Ah, but it's not *your* security. It's the security of whoever you've hosted your RDF with. Your security may well be absolutely fine.

> You have to hope one of your friends will notice something odd, and alert you. By the way if someone gains access to your laptop and your keychain password you are also in deep trouble.

Okay, but which is more likely, on the whole? A security breach on a public-facing web server, or a security breach on a laptop which sits behind a firewall, NAT, has a password on the private key, etc., etc. Both carry a risk, but they're quite different sets of risks.

Your friends will alert you, but only if they know it's happened…

Essentially, this means that if an attacker gains control of a web server hosting FOAF documents [noting that attackers gain control of web servers on a disturbingly regularly basis], they can claim to hold any of the identities published there with little more effort than asserting the fact. 

>> The big question is whether this is a problem which actually needs to be solved, and if so, how?
> 
> I think the best solution is to create more secure operating systems. 

Who says it's a problem with the operating system? That's just one example… it could equally be that the operator of the web server you host the FOAF document on is unscrupulous, or becomes the victim of a social engineering attack, or any one another bunch of scenarios… some of these are applicable to the holder of the key, but modern operating systems do quite a lot to mitigate that (as do connectivity scenarios).

>> In other words:
>> 
>> - Is it simply the case that if an attacker gains access to the server hosting your RDF, all bets are off? If so, this means that relying on a third party to serve that then becomes a matter of calculated risk and trust (and for large-scale adoption, does this then mean that you're trusting, e.g., Facebook not to hijack your identity)?
> 
> 500 million people (accounts?) are trusting Facebook not to hijack their identity. Facebook's valuation is dependent on them not to be seen to be doing that. 

Or they're not caring when it happens — it's not necessarily the key metric?

Is Facebook used for anything 'important', identity-wise, or is the value in the random applications and the social graph? Is WebID intended to be an identity system suitable only for social network-style scenarios, or can it have wider applications? if the latter, then the equivalent of “trust Facebook|Twitter|LiveJournal that you really did log into them” may not be sufficient. this may seem like nitpicking, but I can see the potential of WebID as the basis of a broader decentralised identity system…

> URIs make it much easier to create linked data, and so a social web. One could create public key based URI schemes, but that requires a lot more to be built.

Indeed; and I'd go further, and suggest that for an identity system to be distributed, you need resolvable URIs from the outset. URIs based on public keys just move the problem and make things more complex.

>> - Does there need to be a 'shared' key which is associated with both the certs and the RDF in some way, and only you hold?
> 
> No there does not need to be such a root key. I don't think it is excluded as a future option.
> 
>> This solves the problem, but complicates the processes — you need to make sure that you don't lose that root key [naturally], and you need to have it to hand whenever you need to generate a new certificate;
> 
> yes, this creates a very strong technical and social problems that cannot be lightly overcome
> People will loose public keys or their private keys, or viruses will steal them from their computer - until hardware keys are widely available. To make keys the central point of focus is going to take too much teaching people.

I maybe have more faith that the problems could be overcome: it moves the security aspects to be in the hands of the agent who already has to look after the certificate keys (rather than implicitly trusting a third party), while still allowing the FOAF to be published anywhere at all; in other words, it reduces the surface-area of potential abuse.

I readily accept that it does make things more difficult in certain respects, of course.

>> on the other hand, it does allow a cryptographically strong identity to be maintained for an agent independently of the certificate/browser/device being used (i.e., the public half of the shared key), which will be very useful for certain applications;
> 
> Only if you get people to learn to keep the private keys very very safe. I think as WebId grows, the sale of crypto keys will become a business, which will then make options in this space more viable.

operating systems already do 99% of the work in keeping private keys very safe. even if you gain access to my computer, and log into my account, you still don't get my private key without also getting a particular password for it out of me…

to lay my cards on the table, I'm not convinced that WebId will definitely gain traction in the social space and so gain enough adoption to be useful for wider applications that way — that's not because there's anything wrong with it, but because people are to an extent unpredictable, and don't necessarily head in the direction that's best :)

M.

-- 
Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A




http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
Received on Friday, 8 April 2011 10:44:52 UTC