RAW public keys and WebID - where the URI goes from Yunus Durmuş on 2014-11-21 (public-webid@w3.org from November 2014)

From: Yunus Durmuş <yunus@yanis.co>
Date: Fri, 21 Nov 2014 12:29:54 +0100
To: public-webid <public-webid@w3.org>
Message-ID: <CAP_smCkMr1BkgFGriEMYdjPUF6cojeQ4tpqzXNdjZw+G43P7YQ@mail.gmail.com>

Hi everyone,

These days, RAW public keys (RFC-7250 <http://tools.ietf.org/html/rfc7250>)
are being pushed for tiny constrained devices. As the name suggests,
instead of an X509 certificate, only the public key is transferred nothing
else -even the identity and signature-. The motivation behind is that there
will be less bits on the wire and there won't be any need for certificate
parsing/validation code.

Then the question is how can we transfer the magic URI for the WebID
protocol? We can  embed the uri in the messages of DTLS (Datagram-TLS) or
we can attach it to the end of public key. However, there won't be a
certificate signature that verifies the integrity of the URI.

Do you consider it as a serious problem? With a man in the middle attack,
the URI can be altered, which results in a DOS attack. But, to me, it is
the same as changing the X509 certificate on the wire with a new one.

best
--yunus

Received on Friday, 21 November 2014 11:30:43 UTC