- From: Jonas Smedegaard <jonas@jones.dk>
- Date: Sun, 03 Mar 2019 10:47:12 +0100
- To: Kingsley Idehen <kidehen@openlinksw.com>, Sebastian Hellmann <hellmann@informatik.uni-leipzig.de>, public-webid@w3.org
- Message-ID: <155160643253.19101.9176271404184261481@auryn.jones.dk>
Quoting Sebastian Hellmann (2019-03-03 09:41:40) > Hi Kingsley, > > you are writing a lot of text without answering my simple question: > > If I find a way to change your public key in your WebID to match my > private key, can I log into your accounts with my private key? > > Your associated accounts for your WebID seem quite valuable already, I > could target your employees with root access and make them an offer they > can't refuse. > > What security measures against identity theft are in place and where can > I read about them? This here is minimal: > https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security This is a WebID: https://dr.jones.dk/me/#me That is an identity. Just like "Jonas Smedegaard" is an identity. It is not secure against identity theft. It is just a URI. *** An RDF document is served at the URL of my WebID. That is an identifier. Just like my birth certificate and my passport are identifiers. It is not secure against identity theft. It is just a document. *** A public TLS key is contained within my WebID RDF document. That can be used for (the public part of) WebID+TLS authentication. Just as contacting the church where I was baptised to verify that they got a matching copy of my birth certificate, or call up the danish authorities to verify if they got matching credentials for my passport can authenticate identifiers for my other identities. *** If you find a way to break into and manipulate my web server, or if you bribe the clerk at the church or the police department, then you can steal my identities. For WebID+TLS you would want to find flaws in TLS to break into the protocol of authenticating WebIDs _that_ way. And similarly for other authentication protocols of WebID. There might be ways _specifically_ to how TLS to tied to WebID, and those might be flawed. Which is what you found a document about. But that document does not cover all the *other* ways you can gain control over my WebID, including simply showing up at my doorstep and kick me in the face with a bat until I hand over the private TLS key, or burn down my house (it is made of wood) to stop my server from running. What was your "simple question" again? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Received on Sunday, 3 March 2019 09:47:47 UTC