Re: Verifying WebID fails from Martynas Jusevičius on 2017-06-28 (public-webid@w3.org from June 2017)

From: Martynas Jusevičius <martynas@atomgraph.com>
Date: Wed, 28 Jun 2017 00:44:07 +0000
To: Kingsley Idehen <kidehen@openlinksw.com>, public-webid@w3.org
Message-ID: <CAE35VmzvPZ4utvKBzV7SGZLEHr+nkWXGbVFJ9Vuz5s10a5UbGQ@mail.gmail.com>

Kingsley,

I am implementint WebID authentication in our software, and key mismatch is
a real scenario.

Can you show me where in the spec it is addressed?

On Wed, 28 Jun 2017 at 02.04, Kingsley Idehen <kidehen@openlinksw.com>
wrote:

> On 6/27/17 6:33 PM, Martynas Jusevičius wrote:
> > Hi,
> >
> > I think there is another case where failure scenario is not defined in
> > protocol: verifying the WebID.
> >
> > What happens if the certificate key does not match the WebID key? None
> > of the verification steps or sections seem to consider that. I suggest
> > again that a 400 Bad Request should be returned.
> >
> > I think it is important for the protocol to handle failures if we want
> > robust implementations.
> >
> > Is this group active enough to fix such issues?
> >
> >
> > Martynas
>
>
> Hi Martynas,
>
> What do you mean by Certificate Key? Are you referring to the Public Key
> component of an X.509 Certificate?
>
> Bearing in mind that WebID+TLS isn't new, are there are implementations
> out in the wild, wouldn't it be better if you started off by testing
> authentication of your WebID against existing implementations?
>
> You might also find the YouID browser extension we built interesting
> since its sole purpose is simplification of WebID+TLS and/or
> WebID+TLS+Delegation protocol usage (e.g., negating the UX headache
> introduced by browsers when toggling WebIDs over and existing TLS
> session) [1].
>
> You can try:
>
> [1] http://linkeddata.uriburner.com/sparql -- click on "login" button
>
> [2] http://osdb.openlinksw.com -- click on the "login" button
>
> [3] http://id.myopenlink.net/ods/webid_demo.html -- most basic WebID+TLS
> authentication tool we have
>
> Links:
>
> [1]
>
> https://medium.com/openlink-software-blog/simple-youid-browser-extension-usage-exercise-57fa3ff6c6b7
> -- Simple YouID Browser Extension Usage Exercise.
>
> --
> Regards,
>
> Kingsley Idehen
> Founder & CEO
> OpenLink Software   (Home Page: http://www.openlinksw.com)
>
> Weblogs (Blogs):
> Legacy Blog: http://www.openlinksw.com/blog/~kidehen/
> Blogspot Blog: http://kidehen.blogspot.com
> Medium Blog: https://medium.com/@kidehen
>
> Profile Pages:
> Pinterest: https://www.pinterest.com/kidehen/
> Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
> Twitter: https://twitter.com/kidehen
> Google+: https://plus.google.com/+KingsleyIdehen/about
> LinkedIn: http://www.linkedin.com/in/kidehen
>
> Web Identities (WebID):
> Personal: http://kingsley.idehen.net/dataspace/person/kidehen#this
>         :
> http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
>
>
>

Received on Wednesday, 28 June 2017 00:44:51 UTC