Re: WebID-TLS using X509 fingerprints from Jacopo Scazzosi on 2016-09-15 (public-webid@w3.org from September 2016)

From: Jacopo Scazzosi <me@jacoscaz.com>
Date: Thu, 15 Sep 2016 16:56:45 +0100
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: public-webid <public-webid@w3.org>
Message-ID: <57DAC4BD.50306@jacoscaz.com>
Disclaimer: I'm venturing into territories I am not qualified to venture in.

That said, wouldn't a hash-based URI point to the hashed certificate? If 
I had a way to dereference such a URI, I would expect the certificate 
itself to come up. Something like

|<div about="ni://sha-256;Mub5jcxUlUz6SG0oWKmHtIYGNgATBmPdRdlXiKxRBWw" typeof="cert:X509Certificate" prefix="cert:http://www.w3.org/ns/auth/cert#">
     <div rel="cert:identity" href="https://example.com/me"></div>
     <div rel="foaf:sameAs" href="https://example.com/cert"><div>
</div>

Will get back to this list tomorrow. Have a great day everybody!

Cheers.
|



> Melvin Carvalho <mailto:melvincarvalho@gmail.com>
> 15 September 2016 at 16:43
>
>
> On 15 September 2016 at 17:37, Jacopo Scazzosi <me@jacoscaz.com 
> <mailto:me@jacoscaz.com>> wrote:
>
>     Hello again.
>
>     Thank you all for your replies and apologies to Melvin for the
>     duplicate email - I'm not used to posting on mailing lists.
>
>     @Melvin, I was not aware of the "Naming things with hashes" RFC.
>     Thank you so much for pointing me to that. By turning the hash
>     into a proper URI, it saves me from having to extend the "cert"
>     vocabulary or come up with a vocabulary of my own - awesome! I've
>     just pushed a commit that implements this - works perfectly.
>
>     @Kingsley thank you for feedback and thank you for letting me know
>     about NetID - I'll make sure to name my stuff accordingly.
>
>     @Adrian I'll have a look soon - thank you for letting me know.
>
>     @Henry and @everyone, I opted for the fingerprint w/ hashing
>     function options as I wanted something:
>
>     - future-proof (hashing function is specified in the RDF document)
>     - secure (server can choose to reject a fingerprint with a weak or
>     unsupported hashing function)
>     - lightweight (often my payloads are a fraction of the
>     certificates being used)
>     - easy (quasi-immediate to understand by devs unfamiliar with the
>     semantic world)
>
>     That said, I'm not a semantic nor a crypto guru. I'm here to
>     learn... :)
>
>
> Looks great!
>
> re:
>
> |<div about="ni://sha-256;Mub5jcxUlUz6SG0oWKmHtIYGNgATBmPdRdlXiKxRBWw" typeof="cert:X509Certificate" prefix="cert:http://www.w3.org/ns/auth/cert#">
>      <div rel="cert:identity" href="https://example.com/me"></div>
> </div>
>
> |
> |Maybe we need a entry in the "typeof" field, something like cert:X509Fingerprint ?
> |
>
>
>     Cheers.
>
>
>     Melvin Carvalho wrote:
>
>         Hello again.
>
>         Thank you all for your replies.
>
>         @Melvin, I was not aware of the "Naming things with hashes"
>         RFC. Thank you for pointing me to that. By turning the hash
>         into a proper URI, it saves me from having to extend the
>         "cert" vocabulary or come up with a vocabulary of my own -
>         awesome!
>
>         @everyone, I opted for the fingerprint w/ hashing function as
>         I wanted something:
>
>         - future-proof (hashing function is specified in the RDF document)
>         - secure (server can choose to reject a fingerprint with a
>         weak or unsupported hashing function)
>         - lightweight (often my payloads are a fraction of the
>         certificates being used)
>
>         That said, I'm not a semantic nor a crypto guru - I might be
>         going in the wrong direction. I'm here to learn... :)
>
>         Cheers.
>
>
>
>
> Jacopo Scazzosi <mailto:me@jacoscaz.com>
> 15 September 2016 at 16:37
> Hello again.
>
> Thank you all for your replies and apologies to Melvin for the 
> duplicate email - I'm not used to posting on mailing lists.
>
> @Melvin, I was not aware of the "Naming things with hashes" RFC. Thank 
> you so much for pointing me to that. By turning the hash into a proper 
> URI, it saves me from having to extend the "cert" vocabulary or come 
> up with a vocabulary of my own - awesome! I've just pushed a commit 
> that implements this - works perfectly.
>
> @Kingsley thank you for feedback and thank you for letting me know 
> about NetID - I'll make sure to name my stuff accordingly.
>
> @Adrian I'll have a look soon - thank you for letting me know.
>
> @Henry and @everyone, I opted for the fingerprint w/ hashing function 
> options as I wanted something:
>
> - future-proof (hashing function is specified in the RDF document)
> - secure (server can choose to reject a fingerprint with a weak or 
> unsupported hashing function)
> - lightweight (often my payloads are a fraction of the certificates 
> being used)
> - easy (quasi-immediate to understand by devs unfamiliar with the 
> semantic world)
>
> That said, I'm not a semantic nor a crypto guru. I'm here to learn... :)
>
> Cheers.
>
>
>
>
> Melvin Carvalho <mailto:melvincarvalho@gmail.com>
> 15 September 2016 at 14:27
>
>
> On 13 September 2016 at 13:58, Jacopo Scazzosi <me@jacoscaz.com 
> <mailto:me@jacoscaz.com>> wrote:
>
>     Hello.
>
>     First mail to this list. My name's Jacopo Scazzosi, nice to meet
>     you all.
>
>     I've been recently researching the world of WebID-TLS. The current
>     specs seem to dictate the use of RSA. As one of my requirements is
>     the support of different types of keys, I've written a
>     proof-of-concept authentication module for nodejs using X509
>     fingerprint comparison instead exponent+modulus comparison. I'm
>     currently using SHA-256 fingerprints but I plan on leaving the
>     choice of the hash function up to our subjects. Module is here:
>     https://github.com/jacoscaz/node-webidentity
>     <https://github.com/jacoscaz/node-webidentity>
>
>     Has support for non-RSA keys been already considered in the past?
>
>
> Hi & Welcome!
>
> Yes other keys have been considered in the past.  Actually the WebID 
> vocabulary is supposed to support DSA keys, too.  But there is a bug 
> in the ontology which means that it doesnt.
>
> I raised this in March 2013 (yes, 3 and a half years ago!) 
> https://lists.w3.org/Archives/Public/public-webid/2013Mar/0007.html
>
> Leading to a patch which has still not got upstream.  So we seem to 
> have a issue with the process of change control.  However, given that 
> the ontology is on the w3c namespace there are perhaps some people 
> that can help out here.  Any volunteers? :)
>
> I'd support more keys, namely to fix DSA and personally I have a use 
> case for crypto currencies using ECC keys.
>
> I think there is a general consensus to allow the inclusion of PEM 
> encoded keys, but maybe it's time to revisit this discussion.
>
> Fingerprints are a really interesting idea, that's for working on 
> this.  One question, have you looked at the "Naming things with 
> hashes" RFC?  Do you think there's an overlap here?
>
> https://tools.ietf.org/html/rfc6920
>
>
>     Cheers.
>
>
>
> Jacopo Scazzosi <mailto:me@jacoscaz.com>
> 13 September 2016 at 12:58
> Hello.
>
> First mail to this list. My name's Jacopo Scazzosi, nice to meet you all.
>
> I've been recently researching the world of WebID-TLS. The current 
> specs seem to dictate the use of RSA. As one of my requirements is the 
> support of different types of keys, I've written a proof-of-concept 
> authentication module for nodejs using X509 fingerprint comparison 
> instead exponent+modulus comparison. I'm currently using SHA-256 
> fingerprints but I plan on leaving the choice of the hash function up 
> to our subjects. Module is here: 
> https://github.com/jacoscaz/node-webidentity
>
> Has support for non-RSA keys been already considered in the past?
>
> Cheers.
>
>
Received on Thursday, 15 September 2016 15:57:12 UTC