- From: Nathan <nathan@webr3.org>
- Date: Thu, 05 Jul 2012 16:14:00 +0100
- To: Read-Write-Web <public-rww@w3.org>
Hi All, Just some brain storming on both delegated auth, and how to allow auth via username+password when a certificate isn't present (e.g. in an internet cafe) On Delegated Auth* =============================== Problem: Some Agent <a> would like to allow another agent <d> to make requests on it's behalf. Requirements: Verify identity of <d> - already handled by WebID Specify the <d> is making a request on behalf of <a> - use an "On-Behalf-Of: <a>" header. Verify that owner of <a> holds the private key correlating to the public key found in the profile - private key sign or encrypt string "<a>" within the profile found at <a> Specify that <a> allows <d> to act on it's behalf: - specify this in <a>s profile, for example { <a> :delegates [ :agent <d> ] . } (optional) Verify that <a> allows <d> to act on it's behalf: - private key sign or encrypt the string "<d>" and add it to the profile found at <a>, for example: { <a> :delegates [ :agent <d>; :verify "XKZ...DhA=="^^xsd:base64Binary ] . } (optional) Specify that <a> allows <d> bearing public key PKD to act on it's behalf: - include the public key of <d> in the profile of <a>, for example: { <a> :delegates [ :agent <d>; :verify "XKZ...DhA=="^^xsd:base64Binary; [ a rsa:RSAPublicKey; cert:identity <d>; rsa:modulus [ cert:hex "FD..847" ]; rsa:public_exponent [ cert:decimal "65537" ] ] ] . } (additional) Specify that <a> allows <b> to act on it's behalf for purpose P: - perhaps specify using ACL permissions and the resource <r> that <d> allowed access to notes: how to keep this info private? very similar to oauth2 "<d> is requesting permission to Read(+Write) to your info at <r>. On Certificate Not Present: =============================== Problem: how to authenticate with service <s> as agent <a> when certificate is not present in the browser Possible solution, pass <a> and a password to <s>. Requirements: Verify that the agent <a> authorizes the password "pass" and holds the private key related to the public key found in the profile at <a>. - specify a signature of "pass" in the profile at <a>, for example: { <a> :cnp [ :password-signature "URP...XhF=="^^xsd:base64Binary; ] } notes: - <s> can verify password by doing a openssl_verify("pass", $passwordSignature, $publicKey); - one password for all services, a bit insecure but works - allows service <s> to then pretend to be <a> since same pass for all services Verify that the agent <a> authorizes the password "pass" for use ONLY on service <s>, and holds the private key related to the public key found in the profile at <a>. - specify a signature of the concatenation ("pass" + ";" + "<s>") in the profile at <a>, for example: { <a> :cnp [ :service <s>; :password-signature "URP...XhF=="^^xsd:base64Binary; ] } notes: - <s> can find password - single password per service, password can't be reused by <s> for other services Hope that all makes sense to somebody other than me! I'm sure there are bits I've missed, but it's just some notes on how I'd probably approach the problems currently being discussed. Best, Nathan
Received on Thursday, 5 July 2012 15:14:44 UTC