W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: RAW public keys and WebID - where the URI goes

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 21 Nov 2014 14:56:27 +0100
Message-ID: <CAKaEYhKkTDQL6tbG-1N_ZrExbEhvLjNecnHa42GEZy81SXS-HQ@mail.gmail.com>
To: Yunus Durmuş <yunus@yanis.co>
Cc: public-webid <public-webid@w3.org>
On 21 November 2014 12:29, Yunus Durmuş <yunus@yanis.co> wrote:

> Hi everyone,
>
> These days, RAW public keys (RFC-7250 <http://tools.ietf.org/html/rfc7250>)
> are being pushed for tiny constrained devices. As the name suggests,
> instead of an X509 certificate, only the public key is transferred nothing
> else -even the identity and signature-. The motivation behind is that there
> will be less bits on the wire and there won't be any need for certificate
> parsing/validation code.
>
> Then the question is how can we transfer the magic URI for the WebID
> protocol? We can  embed the uri in the messages of DTLS (Datagram-TLS) or
> we can attach it to the end of public key. However, there won't be a
> certificate signature that verifies the integrity of the URI.
>
> Do you consider it as a serious problem? With a man in the middle attack,
> the URI can be altered, which results in a DOS attack. But, to me, it is
> the same as changing the X509 certificate on the wire with a new one.
>

Nice find, thank you for sharing!

I'm starting to use public keys themselves as identity, much like bitcoin
does.

It's also possible to send a public key URI in the HTTP headers.


>
> best
> --yunus
>
Received on Friday, 21 November 2014 13:57:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:50 UTC