Re: WebID-TLS using X509 fingerprints from Henry Story on 2016-09-15 (public-webid@w3.org from September 2016)

From: Henry Story <henry.story@gmail.com>
Date: Thu, 15 Sep 2016 12:53:52 +0200
To: Jacopo Scazzosi <me@jacoscaz.com>
Cc: public-webid@w3.org
Message-Id: <D2419EB5-6BEE-4084-A37E-6B1EBCB20E97@gmail.com>

> On 13 Sep 2016, at 13:58, Jacopo Scazzosi <me@jacoscaz.com> wrote:
> 
> Hello.
> 
> First mail to this list. My name's Jacopo Scazzosi, nice to meet you all.
> 
> I've been recently researching the world of WebID-TLS. The current specs seem to dictate the use of RSA. As one of my requirements is the support of different types of keys, I've written a proof-of-concept authentication module for nodejs using X509 fingerprint comparison instead exponent+modulus comparison. I'm currently using SHA-256 fingerprints but I plan on leaving the choice of the hash function up to our subjects. Module is here: https://github.com/jacoscaz/node-webidentity

It is clear that one should extend WebID auth way beyond RSA.

but the protocol by being limited to RSA had the advantage of being simple 
and very clean.

One could extend to larger number of keys in a number of ways:
 1. by extending the ontology to cover all the other cryptographic key types.
 2. by building on older standards binary standards susch as X509 inside of PEM and including those in the rdf or pointing to them
 3. something like what you suggest

They each have their advantages and disadvantages.

Because what counts for this to work is interoperability, one really would
need to know how many people with how many webId deployments in the making
would be coming on board if one of these is adopted. 

1. is a lot of work, but may be a lot easier because of the ground work done by JOSE.
  But just thinking about that is going to be a lot of work.

2. Is what web payments group have done and could be followed
   https://web-payments.org/vocabs/security

3. requires an ontology for X509 certificates in particular.
   What is the use case of what you are looking for over and above 1 and 2.

> Has support for non-RSA keys been already considered in the past?

yes. The aim of this group was to come to a definition of the webid protocol.
The work on cryptographic ontologies would require us to have a lot more knowledgeable cryptographers
on board than we have had, so it was left to be done for a later time.

Henry

> 
> Cheers.
> 
>

Received on Thursday, 15 September 2016 10:54:31 UTC