Re: Device Auth. Was: FOAF vs. DublinCore?

Google's solution is not solving device authentication. It is yet another
way for human authentication. From device authentication, I understand that
a device authenticates itself to another device or a web service without
the human owner in the loop.
In my research area M2M-IoT, we explicitly do not want humans involved in
the authentication loop. SD card can be used to authenticate a user, but
machine should have its own too. We always tend to think personal devices
or shared computers which has one user per time. But for instance Wireless
access point is a device which is always shared/used by family members in a
home scenario.

In my not-published yet paper (attached), I have used WebID protocol for
WiFi authentication by using it under EAP-TLS standard. And like Tim said I
embedded x509v3 certificates inside the machines. However, I should note
that these certificates belong to them not to their owners.  And in the
machine's FOAF profile at rww.io, the owner of the machine is identified.
Later on access point uses the ownership relation to grant access to the
wlan.
 I used "foaf:knows" to indicate the ownership but obviously it is a dirty
solution.  We are not buddies with our devices (yet), we own them. There
should be foaf:owned_by or any other ‘things that speak internet” ontology
to define our relation with our devices. I think after having a nice
ontology that defines our ownership relation to the devices, we can let our
devices socialize with each other and exchange their resources without our
awareness.


yunus





On Sat, Jan 11, 2014 at 9:39 AM, Tim Holborn <timothy.holborn@gmail.com>wrote:

> nice presentation [1]
>
> also; http://en.wikipedia.org/wiki/Know_your_customer
> http://openidentityexchange.org/white-papers-0
>
> Financial institutions have methods; one might hope that if your taking
> control over your own data; your standards would at least be capable of
> matching theirs…
>
> when it starts to get into FIPS - i start to get lost about the methods /
> requirements / etc.
>
> [1]
> https://docs.google.com/presentation/d/16mB3Nptab1i4-IlFbn6vfkWYk-ozN6j3-fr7JL8XVyA/edit?pli=1#slide=id.g19c09a112_2_88
>
> On 11 Jan 2014, at 7:12 pm, Anders Rundgren <anders.rundgren.net@gmail.com>
> wrote:
>
> Tim,
> Just a short comment.
>
> An X.509 certificate is always embedded in "something"; this has to date
> not
> required users of X.509 client certificates to also authenticate this
> "something",
> it is rather assumed that the owner of "something" keeps it under his/her
> control.
>
> Not even HSM (Hardware Security Modules) costing big bucks offer any
> standard
> mechanism for authenticating themselves.
>
> That doesn't mean that device authentication is uninteresting, it is
> actually
> a part of Google's U2F scheme
>
> http://www.ietf.org/mail-archive/web/pkix/current/msg32832.html
>
> but this part is only used during enrollment similar to a bank who only
> issues
> credentials to cards it has knowledge of.
>
> Anders
>
> On 2014-01-11 08:59, Tim Holborn wrote:
>
> Following from the last array; reviewing the FOAF documents; the spec;
> http://xmlns.com/foaf/spec/ clearly outlines a person and things that
> describe that person...
>
> Whilst it could be developed; it seems like i’m missing something...
>
> ‘agents’ appear to be used as a method to identify something associated to
> that person for which the FOAF relates; such as an (instant messaging)
> account, which in-turn lives on something that usually the operator of the
> account does not own, and that is assumed to be used by them (subject to
> authentication).
>
> Perhaps the way to explain this is that it’s a passive identifier not an
> active identifier.
>
> (NB. on shared computers when working with kids, they love to leave a
> message on your FB if you forget to logout, which refers to the account not
> necessarily being used by the account holder but rather that the account is
> ‘owned’ (or operated) by that person…)
>
> So; my theory is,
>
> devices are not people and x509 certs are embedded in machines. Perhaps
> the URI could use dublincore (is there an ontology for ‘things that speak
> internet”?) in theory there’s two types of devices; active devices and
> passive devices,
>
> - A passive device is something like a rfid tag; and,
>
> - An active device is something like a computer.
>
> The first step is to identify the machines (so we know it’s a machine
> you’ve previously identified, as so the auth. is more relaxed.) the next is
> to associate it to something, whether it be a FOAF or a DOAP or whatever
> (eventually of course, there’s always FOAF involved).
>
> Dublincore provides ontological methods for descriptions of machines in
> addition to trees, etc.  whilst no-one is going to log-onto a system using
> a x509 cert with embedded uri that describes a tree; i can see the benefit
> in describing that it’s my i7 machine; that i’m using to connect and store
> data to ubiquitous.data.fm whether or not i’m applying permissions to
> another site [1] to store data onto ubiquitous.data.fm and therefore
> creating a few different ‘authorised’ semantic links (x509+WAC documents?)
> between systems to support whatever function i’m attempting to carry out;
> and i can also see the benefit of a device connected to a tree, describing
> both itself and the tree it’s got sensors on, for its purpose of being
> there.  might also come-back with some SNMP data or something that says
> they need to get the birds off the solar-panel power-supply, else it won’t
> be sending anymore data…
>
> I understand more than one URI can be given to a x509 cert, but the
> current method which was the trigger for some rather extensive communiqué
> was that it’s currently applied as an extension to SSL+FOAF and the
> distributed (certgen) nature is really highly beneficial (not sure what
> IPv6 does to it) but perhaps not easily relayed to an institutional SSL
> used with a FOAF message.
>
> and; perhaps beyond the auth issue; it also works the other way around,
>
> If i manage to catch a photo of the lockness monster or bigfoot with by
> happy snappy - universal communicator ('smartphone’) - then whilst the tag
> ‘bigfoot’ might then attribute to en.wikisemantics.org/bigfoot <
> http://en.wikisemantics.org/bigfoot> - it would likely also want to
> associate to both the phone (GIS data, date, time, etc.) me (foaf) and the
> ability to link perhaps ‘credibility’ of the records via a ‘string’ of
> fields; might make the million dollar difference in getting it on the news
> that night…   In those types of cases, perhaps it less matters who takes
> the picture, it more matters whether the data says its more likely to be
> authentic…
>
> comments, rebuttals and/or contributions welcome ;)
>
> [1] site examples
> http://mindmup.com/
> http://www.layoutit.com/build
> http://codepen.io/
> https://www.draw.io/
>
>
>
>