Re: Should we employ WebID authentication only with Self-signed certificates? from Andrei Sambra on 2013-01-31 (public-webid@w3.org from January 2013)

From: Andrei Sambra <andrei.sambra@gmail.com>
Date: Thu, 31 Jan 2013 12:13:12 +0100
To: Yunus Durmuş <yunus@yanis.co>
Cc: Henry Story <henry.story@bblfish.net>, public-webid <public-webid@w3.org>
Message-ID: <CAFG79egRf-LVFQS-FTMCVVjwWETECTPuNJkaoSjm3A4VpncQKA@mail.gmail.com>
Hi again,

On Thu, Jan 31, 2013 at 11:36 AM, Yunus Durmuş <yunus@yanis.co> wrote:

> Thanks for the replies, I will update my code accordingly, I will allow CA
> issued certificates, too.
>
> TLS verifies that certificate owner obtains the corresponding private key.
>  However, I checked the TLS standard and I see that at least the server
> certificate is transmitted openly.
>

What exactly do you mean by integrity check? Validating the server
certificate or the client certificate? You need to understand that whenever
I mentioned CA, I didn't do it because WebID _requires_ a CA, but because
issuing new self-signed certificates is very difficult (see impossible)
when using the HTML5 KEYGEN element. Using a CA to sign the client
certificates is just an implementation detail, it has nothing to do with
the WebID spec.


> Without integrity check of the certificate, an adversary can change the
> fields like Common Name, Valid Before etc. I am aware that WebID has
> nothing to do with those fields since the main idea is being related to a
> profile page. But I think the software should be aware that the information
> on  CA issued certificates might have  been altered. The logic should not
> depend on the side information which is presented in the certificate.
>

You are describing an attack which is valid only when using a PKI. This
attack has _nothing_ to do with WebID, since the private key of the client
certificate is never exposed to anyone. Please go over the spec one more
time and look at how a client certificate is matched against a user
profile. It will become very clear why you shouldn't worry about this issue.


>
> Sorry for mentioning my-profile, it seemed a kind of offensive but I
> assure you that there was no such intent. I am heavily using my-profile :).
>

There was nothing offensive in what you said about MyProfile, so don't
worry about it. :-)

Andrei

 Best Regards
> yunus
>
>
> On Thu, Jan 31, 2013 at 10:07 AM, Henry Story <henry.story@bblfish.net>wrote:
>
>> +1 on all that Andrei, said below, with one minor comment.
>>
>> On 31 Jan 2013, at 09:58, Andrei Sambra <andrei.sambra@gmail.com> wrote:
>>
>> Hi Yunus, and thanks for showing interest in WebID. I'm responsible for
>> MyProfile so I'll do my best to reassure you about several things.
>>
>> I think that what you are fearing here is out of scope in the case of
>> WebID. The whole point of WebID-TLS is to avoid having to rely on a PKI
>> (CA), and in turn move towards a web of trust system, similar to GNU PGP.
>> During the WebID TLS authentication, you never need to check the issuer.
>>
>>
>> We still need CAs so that clients can verify the server. This requirement
>> for CAs for server authentication should one
>> day no longer be the only option, when DANE is adopted in browsers and
>> eleswhere
>> http://datatracker.ietf.org/doc/rfc6394/
>> http://datatracker.ietf.org/doc/rfc6698/
>>
>>
>> The OpenSSL manual states that error 21 means "no signatures could be
>> verified because the chain contains only one certificate and it is not self
>> signed". This is normal behavior, since MyProfile certificates are issued
>> by a local CA with absolutely no intent to validate this CA by anyone, at
>> any given time. However, error 21 does _not_ mean that your client
>> certificate cannot be verified. The only verification that is performed
>> during the TLS handshake is that your certificate's public key matches its
>> private key. So you see, you can't really have a PKI MiM attack here. :-)
>>
>> I hope I've been as clear as possible. If you still need more
>> information, please look up the WebID spec, for details on its TLS
>> authentication. http://www.w3.org/2005/Incubator/webid/spec/
>>
>> Best,
>> Andrei
>>
>>
>>
>> On Wed, Jan 30, 2013 at 3:46 PM, Yunus Durmuş <yunus@yanis.co> wrote:
>>
>>> Hi,
>>>
>>> The integrity of a PKI certificate is checked by the signature of the
>>> CA. If the certificate of the CA is missing in the chain then we can use
>>> the WebID authentication (if the certificate involves a WebID URI).
>>> However, since we do not trust the CA, we cannot trust the signature
>>> either.  As a result, we may authenticate a certificate owner by employing
>>> WebID authentication, but we cannot be sure of the integrity of the
>>> certificate. Does WebID handle integrity in a different way?
>>>
>>> *Detailed explanation is as follows:*
>>>
>>> I am converting EAP-TLS wifi authentication to allow webid
>>> authentication and authorization. I use Hostapd opensource software and
>>> hostapd uses openssl.
>>> When openssl cannot authenticate a certificate, it calls a
>>> "verify_callback" method and in which I place webid authentication. Openssl
>>> calls the verify_callback method for every error of a certificate in case
>>> we may want to apply different security measures.
>>> Anyway, if the certificate is self-signed, I get error 18 (self-signed
>>> error) and continue with Webid.
>>> However, if I use a certificate signed by a website, let's say from
>>> my-profile.eu, it raises three errors:
>>>
>>> *27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted*
>>>
>>> the root CA is not marked as trusted for the specified purpose.
>>>
>>> *20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local
>>> issuer certificate*
>>>
>>> the issuer certificate could not be found: this occurs if the issuer
>>> certificate of an untrusted certificate cannot be found.
>>> *21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the
>>> first certificate*
>>>
>>> no signatures could be verified because the chain contains only one
>>> certificate and it is not self signed.
>>> Since the signature of the certificate is created by using private key
>>> of my-profile.eu and my-profile is not in the certificate chain,
>>> openssl warns me about the above problems. Normally, I was ignoring those
>>> and keep going with WebID. However, I realized that error #21 can lead to a
>>> man-in-the-middle attack since we are not checking the integrity of the
>>> certificate.
>>>
>>>
>>> Best Regards
>>> yunus
>>>
>>>
>>>
>>>
>>
>>    Social Web Architect
>> http://bblfish.net/
>>
>>
>
Received on Thursday, 31 January 2013 11:13:59 UTC