- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 21 Nov 2014 14:56:27 +0100
- To: Yunus Durmuş <yunus@yanis.co>
- Cc: public-webid <public-webid@w3.org>
Received on Friday, 21 November 2014 13:57:03 UTC
On 21 November 2014 12:29, Yunus Durmuş <yunus@yanis.co> wrote: > Hi everyone, > > These days, RAW public keys (RFC-7250 <http://tools.ietf.org/html/rfc7250>) > are being pushed for tiny constrained devices. As the name suggests, > instead of an X509 certificate, only the public key is transferred nothing > else -even the identity and signature-. The motivation behind is that there > will be less bits on the wire and there won't be any need for certificate > parsing/validation code. > > Then the question is how can we transfer the magic URI for the WebID > protocol? We can embed the uri in the messages of DTLS (Datagram-TLS) or > we can attach it to the end of public key. However, there won't be a > certificate signature that verifies the integrity of the URI. > > Do you consider it as a serious problem? With a man in the middle attack, > the URI can be altered, which results in a DOS attack. But, to me, it is > the same as changing the X509 certificate on the wire with a new one. > Nice find, thank you for sharing! I'm starting to use public keys themselves as identity, much like bitcoin does. It's also possible to send a public key URI in the HTTP headers. > > best > --yunus >
Received on Friday, 21 November 2014 13:57:03 UTC