W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: RAW public keys and WebID - where the URI goes

From: <henry.story@bblfish.net>
Date: Fri, 21 Nov 2014 18:30:29 +0100
Cc: public-webid <public-webid@w3.org>
Message-Id: <9E8D3874-D6E9-4B73-9E28-A62E67932AF9@bblfish.net>
To: Yunus Durmuş <yunus@yanis.co>

> On 21 Nov 2014, at 12:29, Yunus Durmuş <yunus@yanis.co> wrote:
> Hi everyone,
> These days, RAW public keys (RFC-7250 <http://tools.ietf.org/html/rfc7250>) are being pushed for tiny constrained devices. As the name suggests, instead of an X509 certificate, only the public key is transferred nothing else -even the identity and signature-. The motivation behind is that there will be less bits on the wire and there won't be any need for certificate parsing/validation code. 

Seems like an interesting  idea.

> Then the question is how can we transfer the magic URI for the WebID protocol? We can  embed the uri in the messages of DTLS (Datagram-TLS) or we can attach it to the end of public key. However, there won't be a certificate signature that verifies the integrity of the URI.
> Do you consider it as a serious problem? With a man in the middle attack, the URI can be altered, which results in a DOS attack. But, to me, it is the same as changing the X509 certificate on the wire with a new one.

if you look at the sequence diagram in WebID TLS

In 1) the TLS setup is done using the server certificate
from then on all communication is secured.

4) then happens over a secured connection.

How does a man in the middle attack take place?


> best
> --yunus

Social Web Architect

Received on Friday, 21 November 2014 17:31:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:57 UTC