W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: RAW public keys and WebID - where the URI goes

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sat, 22 Nov 2014 12:55:02 +1100
Message-Id: <8AFC06A7-C0A7-4EF0-BC6D-D8E688DB1D88@gmail.com>
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, Yunus Durmuş <yunus@yanis.co>, public-webid <public-webid@w3.org>
To: Andrei Sambra <andrei.sambra@gmail.com>


Sent from my iPad

> On 22 Nov 2014, at 1:16 am, Andrei Sambra <andrei.sambra@gmail.com> wrote:
> 
> Hi all,
> 
>> On Fri, Nov 21, 2014 at 8:56 AM, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
>> 
>> 
>>> On 21 November 2014 12:29, Yunus Durmuş <yunus@yanis.co> wrote:
>>> Hi everyone,
>>> 
>>> These days, RAW public keys (RFC-7250) are being pushed for tiny constrained devices. As the name suggests, instead of an X509 certificate, only the public key is transferred nothing else -even the identity and signature-. The motivation behind is that there will be less bits on the wire and there won't be any need for certificate parsing/validation code. 
>>> 
>>> Then the question is how can we transfer the magic URI for the WebID protocol? We can  embed the uri in the messages of DTLS (Datagram-TLS) or we can attach it to the end of public key. However, there won't be a certificate signature that verifies the integrity of the URI.
>>> 
>>> Do you consider it as a serious problem? With a man in the middle attack, the URI can be altered, which results in a DOS attack. But, to me, it is the same as changing the X509 certificate on the wire with a new one.
>> 
>> Nice find, thank you for sharing!
>> 
>> I'm starting to use public keys themselves as identity, much like bitcoin does.
> There is a bit of a trade off here. While in bitcoin's case it works fine, because people need a persistent public key that matches to their wallet, for WebID this would not work, and here is why. The identity mode simply does not rely on public keys because they are (and should) be replaceable as soon as the user thinks that's the case (e.g. losing a phone or a laptop, changing browser, etc.). There is simply too much of a turnover for the keys in WebID-TLS. :-)
> 
IMHO - webid-tls works very well to identify the agent, being the browser, phone, tv, laptop, etc.

Addressing a particular user to that device agent (and rule set) is then a ldp / rww / credentials, or more broadly - other issue.

Multiple people can, and do, use devices.  This doesn't negate the benefit of the design, just the contents of the applied document, I think...

> -- Andrei
> 
>  
>>  
>> 
>> It's also possible to send a public key URI in the HTTP headers.
>>  
>>> 
>>> best
>>> --yunus
> 
Received on Saturday, 22 November 2014 01:55:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:50 UTC