- From: Andrei Sambra <andrei.sambra@gmail.com>
- Date: Tue, 2 Jul 2013 15:40:59 +0200
- Cc: peter williams <home_pw@msn.com>, public-webid Group <public-webid@w3.org>
- Message-ID: <CAFG79eirg04rf+RgwcW8tdEsHoN66BPbVy4_KgVatSspB7am_g@mail.gmail.com>
Peter, even though you see TLS in the WebID-TLS spec name, it has nothing to do with the classic PKI trust chain verification. The only aspects of TLS involved in WebID-TLS authentication relate to the verification of a private key corresponding to the certificate you authenticate with. In other words, we're just using TLS to make sure that there is a private key that matches the public key. Nothing more. Andrei On Tue, Jul 2, 2013 at 3:30 PM, Melvin Carvalho <melvincarvalho@gmail.com>wrote: > > > > On 2 July 2013 15:07, peter williams <home_pw@msn.com> wrote: > >> Why the focus on that tls spec? It focuses on an applied variant of >> channel bindings tokens (that more generally address non-detection of >> cert-based mitm). >> > > TLS was historically the first working solution to WebID Authentication. > So that was the first spec written, and the first implementations. It's > only in the last year that WebID Identity and Auth were split so that makes > things more modular now. > > >> >> I thought webid made the assumption that states and corporations dont >> engage in such activities (perhaps as ordered, in the case of large >> corporations) and thus such vulnerabilities are just "defined" as out of >> scope for webid? > > > One advantage of using x.509 certs is that when putting our identity > inside, you dont need to do any typing or clicking buttons. > > In terms of security TLS has known weaknesses, I think the spec has > security considerations section > > >> >> Stéphane Corlosquet <scorlosquet@gmail.com> wrote: >> >> >> >> On Fri, Jun 14, 2013 at 5:34 AM, Henry Story <henry.story@bblfish.net>wrote: >> >>> >>> On 13 Jun 2013, at 22:31, Henry Story <henry.story@bblfish.net> wrote: >>> >>> > Yes, we have two specs: >>> > >>> > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html >>> > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html >>> > >>> > I am not sure why we don't get the full html view anymore. >>> > Anyone know what we need to change? >>> >>> I fixed these. The problem is related to the move to the new >>> respec.js https://github.com/darobin/respec/ >>> >>> It no longer allows one to add spec refs to the js as one used >>> to be able to >>> >>> see diff https://dvcs.w3.org/hg/WebID/rev/7f01174c75b0 >>> >>> So the TLS spec now is missing two references >>> >>> [[ >>> berjon.biblio["RFC5746"] = "E. Rescorla, M. Ray, S. Dispensa, N. >>> Oskov, <a href=\"http://tools.ietf.org/html/rfc5746\"><cite>Transport >>> Layer Security (TLS) Renegotiation Indication Extension</cite></a> February >>> 2010. Internet RFC 5246. URL: <a href=\" >>> http://tools.ietf.org/html/rfc5746\">http://tools.ietf.org/html/rfc5746</a> >>> "; >>> >>> berjon.biblio["WEBID"] = "Andrei Sambra, Stéphane Corlosquet. <a >>> href=' >>> https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html' >>> ]] >>> >>> Any idea how one can get those added to the code using the new specref? >>> >> >> I've fixed that with [1]. The updated TLS document doesn't show errors >> now [2]. >> >> Steph. >> >> [1] https://dvcs.w3.org/hg/WebID/rev/49894597ee18 >> [2] https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html >> >> >
Received on Tuesday, 2 July 2013 13:41:47 UTC