- From: Olivier Berger <olivier.berger@it-sudparis.eu>
- Date: Fri, 17 Aug 2012 10:35:24 +0200
- To: Henry Story <henry.story@bblfish.net>
- Cc: "public-webid\@w3.org" <public-webid@w3.org>, Read-Write-Web <public-rww@w3.org>
Hi. Henry Story <henry.story@bblfish.net> writes: > Of interest to both RWW and WebID group: > > Sebastian Tramp, Andrei Sambra, Philip Frischmuth, Michael Martin, Sören Auer and I have submitted a paper entitled "Extending the WebID protocol with Access Delegation" for the ISCW 2012, 3rd International Workshop on Consuming Linked Data > > http://bblfish.net/tmp/2012/08/05/WebID_Delegation.pdf > > The paper has not been accepted yet, and the review process will very likely allow us to revise parts of it. But the review process can start here already. Feedback, ideas and implementations are welcome :-) > > More pointers on the wiki > > http://www.w3.org/wiki/WebID/Authorization_Delegation#External_pointers > Thanks for sharing this preprint. I have a concern I'd like to share with you about the security of the protocol. I'm not a security expert, so I hope you can correct me ;-) In the basic WebID auth protocol, the "physical presence" of the agent connecting is the validation of the TLS negociation when the client cert is submitted, which relies on the user "owning" the private key of the credential passed to the server (which relies on the security of the browser key cert and likes). So everytime an agent uses her WebID, you can "trust" that she's really acting in person more or less. Now, let's suppose that that agent delegated her auth to a secretary hosted on another server than her's which gets eventually cracked. So let's say we have : <http://freedombox.alice.com/alice#me> :secretary <http://freedombox.p0wned.com/secretary#me>. the freedombox.p0wned.com system is in control of anyone but Alice, now, and any WebID cert can replace that of the original secretary's. There's no need for the servers to detect that a spammer pretending acting On-Behaf-Of http://freedombox.alice.com/alice#me is no longer in control of Alice. I think there may be a possibility harden this a bit if we add an additional requirement that the secretary's WebID is "signed" by her owner's cert, or that the owner declares the secretary's cert's public key in addition to her own's. Now we would have : <http://freedombox.alice.com/alice#me> cert:key [...]; :secretary <http://freedombox.p0wned.com/secretary#me>; :secretary_key [...] Anyone getting control of the freedombox.p0wned.com could still make use of the delegated WebID at will, of course, but it would be harder to trick the DNS system to just act as a man in the middle. What's your opinion ? -- Olivier BERGER http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France)
Received on Friday, 17 August 2012 08:35:58 UTC