Re: Extending the WebID protocol with Access Delegation from Olivier Berger on 2012-08-17 (public-webid@w3.org from August 2012)

From: Olivier Berger <olivier.berger@it-sudparis.eu>
Date: Fri, 17 Aug 2012 10:35:24 +0200
To: Henry Story <henry.story@bblfish.net>
Cc: "public-webid\@w3.org" <public-webid@w3.org>, Read-Write-Web <public-rww@w3.org>
Message-ID: <87obm9apbn.fsf@inf-8657.int-evry.fr>

Hi.

Henry Story <henry.story@bblfish.net> writes:

> Of interest to both RWW and WebID group:
>
> Sebastian Tramp, Andrei Sambra, Philip Frischmuth, Michael Martin, Sören Auer and I have submitted a paper entitled "Extending the WebID protocol with Access Delegation"  for the ISCW 2012, 3rd International Workshop on Consuming Linked Data
>  
>    http://bblfish.net/tmp/2012/08/05/WebID_Delegation.pdf
>
> The paper has not been accepted yet, and the review process will very likely allow us to revise parts of it. But the review process can start here already. Feedback, ideas and implementations are welcome :-)
>
> More pointers on the wiki
>    
>    http://www.w3.org/wiki/WebID/Authorization_Delegation#External_pointers
>

Thanks for sharing this preprint.

I have a concern I'd like to share with you about the security of the
protocol. I'm not a security expert, so I hope you can correct me ;-)

In the basic WebID auth protocol, the "physical presence" of the agent
connecting is the validation of the TLS negociation when the client cert
is submitted, which relies on the user "owning" the private key of the
credential passed to the server (which relies on the security of the
browser key cert and likes).

So everytime an agent uses her WebID, you can "trust" that she's really
acting in person more or less.

Now, let's suppose that that agent delegated her auth to a secretary
hosted on another server than her's which gets eventually cracked.

So let's say we have :
<http://freedombox.alice.com/alice#me> 
  :secretary <http://freedombox.p0wned.com/secretary#me>.

the freedombox.p0wned.com system is in control of anyone but Alice, now,
and any WebID cert can replace that of the original secretary's.

There's no need for the servers to detect that a spammer pretending acting
On-Behaf-Of http://freedombox.alice.com/alice#me is no longer in control
of Alice.

I think there may be a possibility harden this a bit if we add an
additional requirement that the secretary's WebID is "signed" by her
owner's cert, or that the owner declares the secretary's cert's public
key in addition to her own's.

Now we would have :
<http://freedombox.alice.com/alice#me> 
  cert:key [...];
  :secretary <http://freedombox.p0wned.com/secretary#me>;
  :secretary_key [...]

Anyone getting control of the freedombox.p0wned.com could still make use
of the delegated WebID at will, of course, but it would be harder to
trick the DNS system to just act as a man in the middle.

What's your opinion ?

-- 
Olivier BERGER 
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Received on Friday, 17 August 2012 08:35:57 UTC