- From: Nathan <nathan@webr3.org>
- Date: Thu, 05 Jul 2012 16:14:00 +0100
- To: Read-Write-Web <public-rww@w3.org>
Hi All,
Just some brain storming on both delegated auth, and how to allow auth
via username+password when a certificate isn't present (e.g. in an
internet cafe)
On Delegated Auth*
===============================
Problem: Some Agent <a> would like to allow another agent <d> to make
requests on it's behalf.
Requirements:
Verify identity of <d>
- already handled by WebID
Specify the <d> is making a request on behalf of <a>
- use an "On-Behalf-Of: <a>" header.
Verify that owner of <a> holds the private key correlating to the public
key found in the profile
- private key sign or encrypt string "<a>" within the profile found at <a>
Specify that <a> allows <d> to act on it's behalf:
- specify this in <a>s profile, for example
{ <a> :delegates [ :agent <d> ] . }
(optional) Verify that <a> allows <d> to act on it's behalf:
- private key sign or encrypt the string "<d>" and add it to the
profile found at <a>, for example:
{
<a> :delegates [
:agent <d>;
:verify "XKZ...DhA=="^^xsd:base64Binary ] .
}
(optional) Specify that <a> allows <d> bearing public key PKD to act on
it's behalf:
- include the public key of <d> in the profile of <a>, for example:
{
<a> :delegates [
:agent <d>;
:verify "XKZ...DhA=="^^xsd:base64Binary;
[
a rsa:RSAPublicKey;
cert:identity <d>;
rsa:modulus [ cert:hex "FD..847" ];
rsa:public_exponent [ cert:decimal "65537" ]
]
] .
}
(additional) Specify that <a> allows <b> to act on it's behalf for
purpose P:
- perhaps specify using ACL permissions and the resource <r> that <d>
allowed access to
notes: how to keep this info private? very similar to oauth2 "<d> is
requesting permission to Read(+Write) to your info at <r>.
On Certificate Not Present:
===============================
Problem: how to authenticate with service <s> as agent <a> when
certificate is not present in the browser
Possible solution, pass <a> and a password to <s>.
Requirements:
Verify that the agent <a> authorizes the password "pass" and holds the
private key related to the public key found in the profile at <a>.
- specify a signature of "pass" in the profile at <a>, for example:
{
<a> :cnp [
:password-signature "URP...XhF=="^^xsd:base64Binary;
]
}
notes:
- <s> can verify password by doing a openssl_verify("pass",
$passwordSignature, $publicKey);
- one password for all services, a bit insecure but works
- allows service <s> to then pretend to be <a> since same pass for all
services
Verify that the agent <a> authorizes the password "pass" for use ONLY on
service <s>, and holds the private key related to the public key found
in the profile at <a>.
- specify a signature of the concatenation ("pass" + ";" + "<s>") in the
profile at <a>, for example:
{
<a> :cnp [
:service <s>;
:password-signature "URP...XhF=="^^xsd:base64Binary;
]
}
notes:
- <s> can find password
- single password per service, password can't be reused by <s> for
other services
Hope that all makes sense to somebody other than me! I'm sure there are
bits I've missed, but it's just some notes on how I'd probably approach
the problems currently being discussed.
Best,
Nathan
Received on Thursday, 5 July 2012 15:14:44 UTC