W3C home > Mailing lists > Public > public-webid@w3.org > November 2014

Re: RAW public keys and WebID - where the URI goes

From: Yunus Durmuş <yunus@yanis.co>
Date: Sun, 23 Nov 2014 14:07:24 +0100
Message-ID: <CAP_smCknR4mw+DaVsR-_s2dtKdaytZ-oHZR=2WbmwfgZG-hNEA@mail.gmail.com>
To: "henry.story@bblfish.net" <henry.story@bblfish.net>
Cc: Yunus Durmuş <yunus@yanis.co>, public-webid <public-webid@w3.org>
On Fri, Nov 21, 2014 at 6:30 PM, henry.story@bblfish.net <
henry.story@bblfish.net> wrote:

>
> On 21 Nov 2014, at 12:29, Yunus Durmuş <yunus@yanis.co> wrote:
>
> Hi everyone,
>
> These days, RAW public keys (RFC-7250 <http://tools.ietf.org/html/rfc7250>)
> are being pushed for tiny constrained devices. As the name suggests,
> instead of an X509 certificate, only the public key is transferred nothing
> else -even the identity and signature-. The motivation behind is that there
> will be less bits on the wire and there won't be any need for certificate
> parsing/validation code.
>
>
> Seems like an interesting  idea.
>
>
> Then the question is how can we transfer the magic URI for the WebID
> protocol? We can  embed the uri in the messages of DTLS (Datagram-TLS) or
> we can attach it to the end of public key. However, there won't be a
> certificate signature that verifies the integrity of the URI.
>
>
> Do you consider it as a serious problem? With a man in the middle attack,
> the URI can be altered, which results in a DOS attack. But, to me, it is
> the same as changing the X509 certificate on the wire with a new one.
>
>
> if you look at the sequence diagram in WebID TLS
>
>
> http://www.w3.org/2005/Incubator/webid/spec/tls/#authentication-sequence
>
> In 1) the TLS setup is done using the server certificate
> from then on all communication is secured.
>
> 4) then happens over a secured connection.
>
> How does a man in the middle attack take place?
>


That's good news. If the RAW public key+URI is transmitted over a secure
channel, then an adversary cannot deploy a man in the middle attack.

--yunus


>
> Henry
>
>
> best
> --yunus
>
>
> Social Web Architect
> http://bblfish.net/
>
>
Received on Sunday, 23 November 2014 13:08:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:50 UTC