W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: RAW public keys and WebID - where the URI goes

From: <henry.story@bblfish.net>
Date: Fri, 21 Nov 2014 18:30:29 +0100
Cc: public-webid <public-webid@w3.org>
Message-Id: <9E8D3874-D6E9-4B73-9E28-A62E67932AF9@bblfish.net>
To: Yunus Durmuş <yunus@yanis.co>

> On 21 Nov 2014, at 12:29, Yunus Durmuş <yunus@yanis.co> wrote:
> 
> Hi everyone,
> 
> These days, RAW public keys (RFC-7250 <http://tools.ietf.org/html/rfc7250>) are being pushed for tiny constrained devices. As the name suggests, instead of an X509 certificate, only the public key is transferred nothing else -even the identity and signature-. The motivation behind is that there will be less bits on the wire and there won't be any need for certificate parsing/validation code. 

Seems like an interesting  idea.

> 
> Then the question is how can we transfer the magic URI for the WebID protocol? We can  embed the uri in the messages of DTLS (Datagram-TLS) or we can attach it to the end of public key. However, there won't be a certificate signature that verifies the integrity of the URI.
> 
> Do you consider it as a serious problem? With a man in the middle attack, the URI can be altered, which results in a DOS attack. But, to me, it is the same as changing the X509 certificate on the wire with a new one.

if you look at the sequence diagram in WebID TLS
 
   http://www.w3.org/2005/Incubator/webid/spec/tls/#authentication-sequence

In 1) the TLS setup is done using the server certificate
from then on all communication is secured.

4) then happens over a secured connection.

How does a man in the middle attack take place?

Henry

> 
> best
> --yunus

Social Web Architect
http://bblfish.net/
Received on Friday, 21 November 2014 17:31:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:50 UTC