Re: Request for Review of WebID specs before publishing from Henry Story on 2013-09-10 (public-webid@w3.org from September 2013)

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 10 Sep 2013 09:00:34 +0200
To: Andrei Sambra <andrei.sambra@gmail.com>
Cc: Erich Bremer <erich@ebremer.com>, "public-webid@w3.org" <public-webid@w3.org>
Message-Id: <B28AF08E-223E-4DF4-A524-9197146AEA59@bblfish.net>
On 6 Sep 2013, at 21:48, Andrei Sambra <andrei.sambra@gmail.com> wrote:

> 
> On Fri, Sep 6, 2013 at 9:41 PM, Erich Bremer <erich@ebremer.com> wrote:
> On that note, should we add language to support certificate revocation lists in the cert ontology?
> See: http://www.ietf.org/rfc/rfc5280.txt
> 3.3 Revocation
> and
> 5.3.1. Reason Code
> 
>    CRLReason ::= ENUMERATED {
>         unspecified             (0),
>         keyCompromise           (1),
>         cACompromise            (2),
>         affiliationChanged      (3),
>         superseded              (4),
>         cessationOfOperation    (5),
>         certificateHold         (6),
>              -- value 7 is not used
>         removeFromCRL           (8),
>         privilegeWithdrawn      (9),
>         aACompromise           (10) }
> 
> If like you say, someone breaks RSA (like NSA ;-), how do we indicate in a standardize way to the WebID community why a key was disabled?  Deleting a key cuts off any issues, but if I am trying to validate why Henry posted something "not so nice" about me on https://my-profile.eu/ on 11/1/2013, it could have been a hacker who stole his private key.  Henry then, with CRL language in his WebID profile could indicate that a particular key was compromised on 11/2/2013 with a "cACompromise". Now instead of guessing, I have an idea that it wasn't probably him.  - Erich

This is issue-67
http://www.w3.org/2005/Incubator/webid/track/issues/67

Currently keys have been mathematical objects ( like numbers ). Adding a time stamp
would turn them into time slices of mathematical objects. This would require then changing
all implementations to look for time slice information in their verficiation algorithms.

An X509 Certificate seems to give a validity time to the certificate itself. (Two certs
could have the same keys and different "Not After" values. ), which is a bit similar
to the HTTP valdiity times of a representation.

We could add a revocation mecanism quite easily by adding a cert:revoked relation such as this

<#i> cert:revoked [ a :Revocation;
                               cert:revokedKey <#key1> ;
                               cert:fromDate "2013-08-12T01:12:12"^^xsd:dateTime ;
                               :comment "Lost my computer";
                              ] .

These revocations could then by subtyped for different reasons for revocations.
Of course the user should remove the cert:key relation from his WebID Profile, since that 
establishes the current validity of the relation between the agent and the key ( as specified
by the HTTP validity time of the document of course )

Note how nothing in the cert ontology stops one from naming keys.

Henry

> True, but in that case, there is no indication that a particular key was used by Henry when he auth'd to https://my-profile.eu/ when he posted. This mechanism would involve a full traceability of the user's actions, on all the services he visited. Maybe we drop it for now and open an ISSUE on the tracker, to deal with it once we're done with the review.
> 
> Andrei
>  
> 
> 
> On 09/06/13 3:22 PM, Andrei Sambra wrote:
>> On Fri, Sep 6, 2013 at 9:14 PM, Erich Bremer <erich@ebremer.com> wrote:
>> https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
>> 
>> 2.2.1.1 Cryptographic Vocabulary
>> 
>> "The following properties should be used when conveying the relation between the Subject and his or her key, within WebID Profile documents:"
>> 
>> Shouldn't "SHOULD" be "MUST"?  - Erich
>> 
>> Good question!
>> 
>> I've been recently thinking about that section. I think SHOULD is ok for now, as long as we mention that WebID-TLS supports multiple encryption algorithms that are available for TLS.
>> 
>> And now...what if tomorrow we find out that a new attack completely breaks RSA? This is probably a question that we can ask once we move to a WG.
>> 
>> Andrei
>>  
>> 
>> 
>> 
>> On 09/05/13 9:52 AM, Henry Story wrote:
>>> Dear WebID Community Group,
>>> 
>>>   we now have three specs up on github here
>>> 
>>>    https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html
>>> 
>>> All editors think that it is time to publish a new version 
>>> on the W3C WebID Incubator space, to finalise the distinction
>>> between WebID, WebID-TLS, and the cert ontology.
>>> 
>>> So we would like to be able to publish the specs above
>>> at the following location, by Friday 20 September 2013
>>> 
>>>   http://www.w3.org/2005/Incubator/webid/spec/
>>> 
>>> We would be very happy to receive feedback from
>>> the community before doing so. If you can spot 
>>> any errors or improvements please let us know, 
>>> we'll do our best to get them in before publication.
>>> 
>>>    Thanks,
>>> 
>>> 		Henry Story  
>>> 
>>> 
>>> Social Web Architect
>>> http://bblfish.net/
>>> 
>>> 
>> 
>> 
> 
> 

Social Web Architect
http://bblfish.net/
Received on Tuesday, 10 September 2013 07:01:06 UTC