Should we employ WebID authentication only with Self-signed certificates?


The integrity of a PKI certificate is checked by the signature of the CA.
If the certificate of the CA is missing in the chain then we can use the
WebID authentication (if the certificate involves a WebID URI). However,
since we do not trust the CA, we cannot trust the signature either.  As a
result, we may authenticate a certificate owner by employing WebID
authentication, but we cannot be sure of the integrity of the certificate.
Does WebID handle integrity in a different way?

*Detailed explanation is as follows:*

I am converting EAP-TLS wifi authentication to allow webid authentication
and authorization. I use Hostapd opensource software and hostapd uses
When openssl cannot authenticate a certificate, it calls a
"verify_callback" method and in which I place webid authentication. Openssl
calls the verify_callback method for every error of a certificate in case
we may want to apply different security measures.
Anyway, if the certificate is self-signed, I get error 18 (self-signed
error) and continue with Webid.
However, if I use a certificate signed by a website, let's say from, it raises three errors:

*27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted*

the root CA is not marked as trusted for the specified purpose.

*20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
issuer certificate*

the issuer certificate could not be found: this occurs if the issuer
certificate of an untrusted certificate cannot be found.
*21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first

no signatures could be verified because the chain contains only one
certificate and it is not self signed.
Since the signature of the certificate is created by using private key of and my-profile is not in the certificate chain, openssl warns
me about the above problems. Normally, I was ignoring those and keep going
with WebID. However, I realized that error #21 can lead to a
man-in-the-middle attack since we are not checking the integrity of the

Best Regards

Received on Wednesday, 30 January 2013 21:54:24 UTC