Re: WebID-RSA. Re: google proposing to deprecate KEYGEN from Anders Rundgren on 2015-08-04 (public-webid@w3.org from August 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 4 Aug 2015 09:05:09 +0200
To: Henry Story <henry.story@co-operating.systems>
Cc: Andrei Sambra <andrei@w3.org>, public-webid@w3.org
Message-ID: <55C06425.1080708@gmail.com>

On 2015-08-04 08:12, Henry Story wrote:
>
>> On 31 Jul 2015, at 17:25, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>> On 2015-07-31 15:47, Andrei Sambra wrote:
>>> I’ve already started work (this spring) on an alternative auth
>>> protocol based on WebID, which uses the new WebCrypto API. You can read about it here [0].
>>
>> Pardon my ignorance but I don't understand how WebID-RSA works since
>> WebCrypto is SOP-crippled.  That you can generate a key on the fly
>> is true but exactly what does that buy?
>
> What does SOP-cripled mean?

HTTPS CCA (Client Certificate Authentication) allows you to share a certificate
with any number of sites (domains).  This is huge drawback according to the folks
working with core Web security- and privacy-technology in W3C.

WebCrypto as well as FIDO/U2F only allows the domain who generated a particular
key to "see" it following SOP (Same Origin Policy).

If you need to generate a new key for each site you are visiting, I don't see how you
could maintain the binding to a particular WebID without running something like an e-mail
verification round-trip which IMO would make such a system much less attractive.

Anders

>
>
>>
>> Anders
>>
>>>
>>> It’s currently implemented in gold [1], one of the SoLiD servers.
>>>
>>> —Andrei
>>>
>>> [0] https://github.com/linkeddata/SoLiD#webid-rsa
>>> [1] https://github.com/linkeddata/gold
>>>
>>>> On Jul 31, 2015, at 8:51 AM, Cory Sabol <cssabol@uncg.edu <mailto:cssabol@uncg.edu>> wrote:
>>>>
>>>> It would be interesting to conduct some work on that. WebID with some alternative crypto APIs.
>>>>
>>>> On Fri, Jul 31, 2015 at 6:42 AM, Andreas Kuckartz <a.kuckartz@ping.de <mailto:a.kuckartz@ping.de>> wrote:
>>>>
>>>>     Kingsley Idehen wrote:
>>>>     > Keygen doesn't define existence of WebID-TLS. It just offered a
>>>>     > perceived convenience.
>>>>
>>>>     Can WebID-TLS be based on the Web Cryptography API instead?
>>>>
>>>>     What would be the advantages and disadvantages?
>>>>
>>>>     Cheers,
>>>>     Andreas
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>>
>>>> -Cory Sabol
>>>> cssabol@uncg.edu <mailto:cssabol@uncg.edu>
>>>>
>>>
>>
>>
>

Received on Tuesday, 4 August 2015 07:05:47 UTC