- From: Tim Holborn <timothy.holborn@gmail.com>
- Date: Sat, 11 Jan 2014 19:22:25 +1100
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: Read-Write-Web <public-rww@w3.org>, public-webid WebID Group <public-webid@w3.org>
Cheers Anders.
I also note FB has a mechanism that says ‘new device’ et.al.
But the data is stored in their cloud / account, and it’s FB data not banking data or medical data, or everything in-between… So part of the difference is that a user stores their own data; rather than in an aggregated DB. (depending on the app design, etc.)
I see the x509 as ‘linking’ the machine or app; to the rww account. (even if it’s gDrive, which kinda undertakes that function also).
It’s not about authenticating the machine twice; it’s leveraging the machine authentication, but recognising the need to authenticate the user on a session level rather than a machine level; at least as a standards implemented model (could authenticate forever, but that’s up-to the user, not the app or the machine).
therein also; leaving space for an array of different auth. procedures to be allowed, or constructed by the user (perhaps with app. minimums).
tim.
On 11 Jan 2014, at 7:12 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> Tim,
> Just a short comment.
>
> An X.509 certificate is always embedded in "something"; this has to date not
> required users of X.509 client certificates to also authenticate this "something",
> it is rather assumed that the owner of "something" keeps it under his/her control.
>
> Not even HSM (Hardware Security Modules) costing big bucks offer any standard
> mechanism for authenticating themselves.
>
> That doesn't mean that device authentication is uninteresting, it is actually
> a part of Google's U2F scheme
>
> http://www.ietf.org/mail-archive/web/pkix/current/msg32832.html
>
> but this part is only used during enrollment similar to a bank who only issues
> credentials to cards it has knowledge of.
>
> Anders
>
> On 2014-01-11 08:59, Tim Holborn wrote:
>> Following from the last array; reviewing the FOAF documents; the spec; http://xmlns.com/foaf/spec/ clearly outlines a person and things that describe that person...
>>
>> Whilst it could be developed; it seems like i’m missing something...
>>
>> ‘agents’ appear to be used as a method to identify something associated to that person for which the FOAF relates; such as an (instant messaging) account, which in-turn lives on something that usually the operator of the account does not own, and that is assumed to be used by them (subject to authentication).
>>
>> Perhaps the way to explain this is that it’s a passive identifier not an active identifier.
>>
>> (NB. on shared computers when working with kids, they love to leave a message on your FB if you forget to logout, which refers to the account not necessarily being used by the account holder but rather that the account is ‘owned’ (or operated) by that person…)
>>
>> So; my theory is,
>>
>> devices are not people and x509 certs are embedded in machines. Perhaps the URI could use dublincore (is there an ontology for ‘things that speak internet”?) in theory there’s two types of devices; active devices and passive devices,
>>
>> - A passive device is something like a rfid tag; and,
>>
>> - An active device is something like a computer.
>>
>> The first step is to identify the machines (so we know it’s a machine you’ve previously identified, as so the auth. is more relaxed.) the next is to associate it to something, whether it be a FOAF or a DOAP or whatever (eventually of course, there’s always FOAF involved).
>>
>> Dublincore provides ontological methods for descriptions of machines in addition to trees, etc. whilst no-one is going to log-onto a system using a x509 cert with embedded uri that describes a tree; i can see the benefit in describing that it’s my i7 machine; that i’m using to connect and store data to ubiquitous.data.fm whether or not i’m applying permissions to another site [1] to store data onto ubiquitous.data.fm and therefore creating a few different ‘authorised’ semantic links (x509+WAC documents?) between systems to support whatever function i’m attempting to carry out; and i can also see the benefit of a device connected to a tree, describing both itself and the tree it’s got sensors on, for its purpose of being there. might also come-back with some SNMP data or something that says they need to get the birds off the solar-panel power-supply, else it won’t be sending anymore data…
>>
>> I understand more than one URI can be given to a x509 cert, but the current method which was the trigger for some rather extensive communiqué was that it’s currently applied as an extension to SSL+FOAF and the distributed (certgen) nature is really highly beneficial (not sure what IPv6 does to it) but perhaps not easily relayed to an institutional SSL used with a FOAF message.
>>
>> and; perhaps beyond the auth issue; it also works the other way around,
>>
>> If i manage to catch a photo of the lockness monster or bigfoot with by happy snappy - universal communicator ('smartphone’) - then whilst the tag ‘bigfoot’ might then attribute to en.wikisemantics.org/bigfoot <http://en.wikisemantics.org/bigfoot> - it would likely also want to associate to both the phone (GIS data, date, time, etc.) me (foaf) and the ability to link perhaps ‘credibility’ of the records via a ‘string’ of fields; might make the million dollar difference in getting it on the news that night… In those types of cases, perhaps it less matters who takes the picture, it more matters whether the data says its more likely to be authentic…
>>
>> comments, rebuttals and/or contributions welcome ;)
>>
>> [1] site examples
>> http://mindmup.com/
>> http://www.layoutit.com/build
>> http://codepen.io/
>> https://www.draw.io/
>
Received on Saturday, 11 January 2014 08:23:18 UTC