W3C home > Mailing lists > Public > public-webid@w3.org > October 2017

Re: Status-Check

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 21 Oct 2017 17:32:11 +0200
Message-ID: <CAKaEYhKgLc-uq4Yv7rpW0MXxW1A5Fbi5Quh=J4MscSXQj-1vng@mail.gmail.com>
To: Martynas Jusevičius <martynas@atomgraph.com>
Cc: Timothy Holborn <timothy.holborn@gmail.com>, Henry Story <henry.story@bblfish.net>, "public-webid@w3.org" <public-webid@w3.org>
On 21 October 2017 at 15:45, Martynas Jusevičius <martynas@atomgraph.com>

> Why would WebID need the OpenID stuff?


Motivation for WebID-OIDC

The Solid team, while researching additional authentication mechanisms
<https://github.com/solid/solid/issues/22> to run alongside the existing
one (WebID-TLS
performed a review of existing authentication protocols that has been used
by (or proposed for) decentralized application ecosystems. Several criteria
were kept in mind.

One, we wanted to avoid the common pitfalls that are often encountered when
dealing with authentication for decentralized systems: the use of HTTP
Basic or Digest Auth, and relying on Bearer Tokens as an authentication

Secondly, we were looking for a protocol that did not rely solely on
identifying users via public/private crypto keys. Aside from the general
difficulty people have with storing and managing crypto keys, public client
applications (browser side Javascript apps, for example) do not have access
to private key storage facilities or keychain APIs. (And even the upcoming
WebAuthn <https://www.w3.org/TR/webauthn/> spec requires the user to
*register* an account for each origin/domain -- precisely the situation
that most decentralized social app projects like Solid are trying to fix.)
This ruled out proposals such as HTTP Signatures, most "Identity on the
Blockchain" proposals including Bitcoin, and other client-side key
management based systems.

If at all possible, we were looking for protocols that used standards and
tech stacks that were familiar and comprehensible to app developers (which
ruled out the older XML-based SAML protocol, as well as earlier
incarnations of OpenID).

Other properties that we were looking for in a protocol included:

   - Support for the full range of app and agent types, including browser
   side Javascript apps, traditional server-side web apps, mobile apps and
   desktop apps, and so on. The ability to support authentication of
   non-browser-based agents (such as server-side feed readers, desktop and
   mobile apps, etc) meant that we needed alternatives to the "Authenticate to
   your pod with a username and password and rely on WebID-TLS delegation
   through the pod" strategy.
   - Addressed and incorporated security best practices and recommendations
   (see, for example RFC 4962 <https://tools.ietf.org/html/rfc4962> and RFC
   6819 <http://tools.ietf.org/html/rfc6819>), such as fresh strong session
   keys, cryptographic algorithm independence, authentication of all parties
   involved (user, client app, server, etc), and proof against common attacks
   (replay attacks, man-in-the-middle, token hijacking and many others).
   - Provided a familiar end-user experience
   - Was usable on public or shared computers (had reasonable sign-out
   capabilities, etc)
   - Was compatible with the other complementary Solid specs (such as the
   Web Access Control authorization system)
   - Had support for down-the-road capability requirements, such as access
   revocation, blacklists and whitelists for both apps and service providers,
   the possibility of pairwise pseudonymity, pre-authorized "unattended"
   access, and so on.

OpenID Connect

We have found OpenID Connect the only protocol that fit all of those
requirements (or even came close). At its heart, OIDC is a general purpose
toolkit for authentication and delegation, with provisions and
specifications for:

   - User authentication via methods both familiar (such as username and
   password, WebID-TLS browser side certificates) and upcoming (such as the
   FIDO 2/ WebAuthn <https://www.w3.org/TR/webauthn/> standard)
   - Verification of identity providers
   - Verification of client applications of all types (browser side, server
   side, desktop and mobile, etc)
   - Session expiration, user-initiated logout, and access revocation

> On Sat, Oct 21, 2017 at 3:28 PM, Timothy Holborn <
> timothy.holborn@gmail.com> wrote:
>> On Sat, 21 Oct 2017 at 23:30 Henry Story <henry.story@bblfish.net> wrote:
>>> On 19 Oct 2017, at 14:35, Timothy Holborn <timothy.holborn@gmail.com>
>>> wrote:
>>> Hi Henry / WebID,
>>> What's going on with WebID?
>>> I am trying to write a PhD thesis on this area in order to explain to
>>> the security community
>>> its' properties in the mathematical language they understand.
>> good for you.  I'm working on a ISOC-SIG to progress things that don't
>> fit into W3.  I'm hoping this will result in positive steps forward
>> overall...
>>> The WebID community is a nice group, but convincing ourselves that this
>>> is great is not
>>> much use to convince the wider world.
>> I've just found that the Digital-Signatures work has moved around a bit,
>> and i'm not 100% on board with the DID work (whilst admitting, i haven't
>> fully investigated it).  it was my view, what is now many years ago, that
>> the ability to build-out signed documents was an important constituent to
>> 'identity' and that aptly, the requirement at the time was to change the
>> terms as to ensure the scope was 'verifiable claims'; that this work is,
>> well.  as done as i think it needs to be; and the other constituent of the
>> 'identity' related stuff (as required for RWW related works) now needs a
>> bit of rejuvenation seemingly...?
>>> I see the OIDC-WebID-Spec[1] but it doesn't seem to have made it into
>>> the WebID group[2] info, et.al.
>>> There are a number of things to look at. But I'd rather have people in
>>> the security space confined of this,
>>> than various hackers more or less aware of security issues.
>> k. important point.
>> When you're talking about security experts; is this requirement important
>> for updating the WebID docs to include the OIDC methods?
>> my little map in my head; left me thinking that when it comes to the
>> underlying ID bit - that's a WebID.   After the WebID it gets more
>> complicated; and that some of those WebIDs probably should describe a
>> machine (rather than its user, which is a different WebID)
>>> I note also; the ability to produce (and link) verifiable claims or
>>> 'credentials' I felt, some-time ago now, was quite an important extension
>>> to WebID theorem; yet the WebID Spec still makes no reference of JSON-LD
>>> which i still think is not ideal.
>>> That's something one could remedy quite easily....  Will see as I give
>>> in my first year report back. But the problem
>>> WebID is having is not because the spec does not mention json-ld.
>> Understand.   If i'm successful in getting the ISOC method up and running
>> (noting also, there's a related field of endeavour in IEEE[3] - i'm hoping
>> for a good community) ; then the theory is we'll be able to deal with 'the
>> social implications' a bit more broadly, and this in-turn should yield
>> better means to get stuck into any tech. requirements needed thereafter, as
>> well as better illustrating the need for RWW like deployment methods (and
>> in-turn, forming a comprehensive global / regional framework via Local ISOC
>> chapters to help educate local stakeholders, such as GOV, how, why, methods
>> and benefits of doing so).
>> It's been a fair bit of effort, and its not even started yet.  Yet i
>> think the WebID stuff is important, and it seems to the docs are all a bit
>> out of date.
>>> Tim.H.
>>> [1] https://github.com/solid/webid-oidc-spec
>>> [2] https://www.w3.org/community/WebID/
>>> Tim.H.
>> [3] https://standards.ieee.org/about/sasb/iccom/IC17-002-01_Di.pdf
Received on Saturday, 21 October 2017 15:32:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:06:03 UTC