Re: Recovery of compromised WebID from Jonas Smedegaard on 2019-03-03 (public-webid@w3.org from March 2019)

From: Jonas Smedegaard <jonas@jones.dk>
Date: Sun, 03 Mar 2019 10:47:12 +0100
To: Kingsley Idehen <kidehen@openlinksw.com>, Sebastian Hellmann <hellmann@informatik.uni-leipzig.de>, public-webid@w3.org
Message-ID: <155160643253.19101.9176271404184261481@auryn.jones.dk>

Quoting Sebastian Hellmann (2019-03-03 09:41:40)
> Hi Kingsley,
> 
> you are writing a lot of text without answering my simple question:
> 
> If I find a way to change your public key in your WebID to match my 
> private key, can I log into your accounts with my private key?
> 
> Your associated accounts for your WebID seem quite valuable already, I 
> could target your employees with root access and make them an offer they 
> can't refuse.
> 
> What security measures against identity theft are in place and where can 
> I read about them? This here is minimal: 
> https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security

This is a WebID: https://dr.jones.dk/me/#me

That is an identity. Just like "Jonas Smedegaard" is an identity.

It is not secure against identity theft. It is just a URI.

***

An RDF document is served at the URL of my WebID.

That is an identifier.  Just like my birth certificate and my passport 
are identifiers.

It is not secure against identity theft.  It is just a document.

***

A public TLS key is contained within my WebID RDF document.

That can be used for (the public part of) WebID+TLS authentication. 
Just as contacting the church where I was baptised to verify that 
they got a matching copy of my birth certificate, or call up the 
danish authorities to verify if they got matching credentials for 
my passport can authenticate identifiers for my other identities.

***

If you find a way to break into and manipulate my web server, or if you 
bribe the clerk at the church or the police department, then you can 
steal my identities.

For WebID+TLS you would want to find flaws in TLS to break into the 
protocol of authenticating WebIDs _that_ way.  And similarly for other 
authentication protocols of WebID.

There might be ways _specifically_ to how TLS to tied to WebID, and 
those might be flawed.  Which is what you found a document about.  But 
that document does not cover all the *other* ways you can gain control 
over my WebID, including simply showing up at my doorstep and kick me in 
the face with a bat until I hand over the private TLS key, or burn down 
my house (it is made of wood) to stop my server from running.

What was your "simple question" again?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Received on Sunday, 3 March 2019 09:47:47 UTC