W3C home > Mailing lists > Public > public-webid@w3.org > October 2012

security consideration: certificate creation over TLS

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 19 Oct 2012 11:22:09 +0200
Message-Id: <8D85BE25-2B6B-4DF3-B24A-EE135153C9DB@bblfish.net>
To: "public-webid@w3.org" <public-webid@w3.org>
to add to ISSUE-34:

  the security considerations section should suggest that certificates using keygen be created over a TLS connection. The danger otherwise is that a man in the middle could intercept the public key data, send that on to the server, which would add the public key to the profile, create a certificate and return it in the usual manner. But here the man in the middle would then capture the returned certificate, create a new certificate but add a new webid to the san, sign it, and send it on to the client. This would allow the man in the middle then to later confuse servers that could decude from the existence of the two WebIDs in the certificate that both were owl:sameAs each other. 

  Henry

Social Web Architect
http://bblfish.net/



Received on Friday, 19 October 2012 09:22:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:37 UTC