Re: WebID-TLS using X509 fingerprints from Jacopo Scazzosi on 2016-12-11 (public-webid@w3.org from December 2016)

From: Jacopo Scazzosi <me@jacoscaz.com>
Date: Sun, 11 Dec 2016 14:12:30 +0000
To: public-webid@w3.org
Message-ID: <etPan.584d5ece.60866330.2b1@jacoscaz.com>
Hi all.

Apologies for the late update. We've been experimenting with the NI URIs approach (as suggested by Melvin) for the last month or so and decided to go with it.

I've thus spent a few hours polishing my experimental module and expanding the readme. I've moved its repository to https://github.com/jacoscaz/node-netid-ni-tls and renamed the module to "netid-ni-tls" as it does implement an out-of-specs variation of the WebID-TLS protocol (as pointed out by Kingsley).

In our NetIDs we're using triples such as the following ones: 

@prefix cert: <http://www.w3.org/ns/auth/cert#> .
<ni:///sha-256;VYfZ+POv6qLZGxKBXxDCmtARwzI0mE7A7Xy0hqEHN5Q> a cert:X509Certificate;
    cert:identity <https://jacoscaz.com/me> .

The flexibility that NI URIs provide is exactly what we had been looking for.

Cheers.

Jacopo Scazzosi


On 15 September 2016 at 17:17:01, Kingsley Idehen (kidehen@openlinksw.com) wrote:
> On 9/15/16 11:32 AM, Melvin Carvalho wrote:
> >
> >
> > On 15 September 2016 at 17:22, Kingsley Idehen > > > wrote:
> >
> > On 9/13/16 7:58 AM, Jacopo Scazzosi wrote:
> > > Hello.
> > >
> > > First mail to this list. My name's Jacopo Scazzosi, nice to meet
> > you all.
> > >
> > > I've been recently researching the world of WebID-TLS. The current
> > > specs seem to dictate the use of RSA. As one of my requirements
> > is the
> > > support of different types of keys, I've written a proof-of-concept
> > > authentication module for nodejs using X509 fingerprint comparison
> > > instead exponent+modulus comparison. I'm currently using SHA-256
> > > fingerprints but I plan on leaving the choice of the hash
> > function up
> > > to our subjects. Module is here:
> > > https://github.com/jacoscaz/node-webidentity
> >  
> > >
> > > Has support for non-RSA keys been already considered in the past?
> > >
> > > Cheers.
> >
> > Hi Jacopo,
> >
> > We have included fingerprint lookup in our authentication module which
> > supports WebID+TLS.
> >
> > The only issue here is that we are now talking about different
> > protocol
> > i.e., not part of the WebID+TLS spec, as it currently stands. Thus, we
> > currently use the moniker NetID for this particular option.
> >
> > Fingerprints are much easier with regards to manual setup of
> > WebID-Profile documents associated with WebIDs en route to PKI
> > exploitation in any authentication protocol.
> >
> > Anyway, we take the same position as you i.e., its there as an
> > option :)
> >
> >
> > I wonder if this is worth standardizing?
> >
>  
> Realistically, its best done as a "best practice" effort first. Then
> following lots of interop etc., a case can be made for standardization
> (which is a protracted process).
>  
>  
> --
> Regards,
>  
> Kingsley Idehen
> Founder & CEO
> OpenLink Software (Home Page: http://www.openlinksw.com)
>  
> Medium Blog: https://medium.com/@kidehen
> Blogspot Blog: http://kidehen.blogspot.com
> Twitter Profile: https://twitter.com/kidehen
> Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
>  
>
Received on Sunday, 11 December 2016 14:13:01 UTC