Re: Recovery of compromised WebID from Kingsley Idehen on 2019-03-04 (public-webid@w3.org from March 2019)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sun, 3 Mar 2019 20:11:32 -0500
To: public-webid@w3.org
Message-ID: <fee47322-3e6f-b105-5c66-d05e7da3029b@openlinksw.com>
On 3/3/19 3:41 AM, Sebastian Hellmann wrote:
>
> Hi Kingsley,
>
> you are writing a lot of text without answering my simple question:
>
> If I find a way to change your public key in your WebID to match my
> private key, can I log into your accounts with my private key?
>
> Your associated accounts for your WebID seem quite valuable already, I
> could target your employees with root access and make them an offer
> they can't refuse.
>
> What security measures against identity theft are in place and where
> can I read about them? This here is minimal:
> https://www.w3.org/2005/Incubator/webid/wiki/Identity_Security
>
> All the best,
>
> Sebastian
>
Answer is No.

Explanation in three sentences.

You cannot break the WebID-TLS protocol via possession of Public Keys.

WebID-TLS is an extension of TLS.


BTW:

Can you break TLS via possession of Public Keys?

You do know and understand the nature of Digital Signatures and the role
of the Private Key in Asymmetric Crypto, right?

Why is github be your canonical example, even though your speculative
compromise is invalid ?

Kingsley

>
> On 03.03.19 00:10, Kingsley Idehen wrote:
>> On 3/2/19 8:19 AM, Sebastian Hellmann wrote:
>>>
>>> Hi all,
>>>
>>> I know that everybody is enthusiastic about WebID, but I would like
>>> to know a bit more about what to take care of, when setting this up.
>>>
>>> 1.   https://xkcd.com/792/  applies, right? So If use another server
>>> for hosting WebID like http://holycrab13.github.io/webid.ttl  
>>> Microsoft could change the pub key in some requests (without
>>> changing the data) and then log into almost anything.
>>>
>>
>> A WebID is an identifier. That's it.
>>
>> A WebID-Profile Document is the document to which a WebID resolves.
>> It is the place where credentials (Identity Claims) reside.
>>
>> The WebID-TLS and WebID-TLS+Delegation protocols are Authentication
>> Protocols that verify a WebID by reconciling Identity Claims in an
>> X.509 with specific claims in a WebID-Profile document, courtesy of
>> the objects of a specific relation i.e., cert:key .
>>
>> Logging into a Data Space doesn't mean you have access to anything. 
>> A Data Space will use WebACLs to control access (in various modes) to
>> resources.
>>
>> In this game,  the following are loosely-coupled ensuring no single
>> point of failure or vulnerability:
>>
>> Identity (WebID), Identification (WebID-Profile Doc), Authentication
>> (WebID-TLS or WebID-TLS+Delegation protocols), Authorization
>> (WebACLs), and Storage (Data Spaces hosting a collection of
>> Resources/Documents). 
>>
>>
>>> Same for the WebId on my own server: http://kurzum.net/webid.ttl  
>>> If this get's compromised it is like a meteor hit, since you would
>>> have only one identity for everything.
>>>
>>> 2. This weakness is also mentioned in the security section of OpenID
>>> https://en.wikipedia.org/wiki/OpenID#Privacy_and_trust_issues and
>>> therefore all OpenID Connect weaknesses and security risks apply for
>>> WebID OpenConnect as well.
>>>
>>
>> No!
>>
>> OpenID isn't driven by the same mechanisms as WebID-TLS or
>> WebID-TLS+Delegation.
>>
>>
>>> 3. anything else? I guess the TLS part is quite standard then.
>>>
>>
>> TLS is a standard extended by WebID lookups re. WebID-TLS and
>> WebID-TLS+Delegation.
>>
>>
>>> Although I would need to check whether third parties listening to
>>> the traffic can trace your public key. (inversefunctional?) So they
>>> would know that you made a connection, but not the content of the
>>> connection.
>>>
>>
>> Your Public Key doesn't mean much in a loosely-coupled system that's
>> driven by logic expressed in RDF statement collections.
>>
>>
>> Kingsley
>>
>>> -- 
>>> All the best,
>>> Sebastian Hellmann
>>>
>>> Director of Knowledge Integration and Linked Data Technologies
>>> (KILT) Competence Center
>>> at the Institute for Applied Informatics (InfAI) at Leipzig University
>>> Executive Director of the DBpedia Association
>>> Projects: http://dbpedia.org, http://nlp2rdf.org,
>>> http://linguistics.okfn.org, https://www.w3.org/community/ld4lt
>>> <http://www.w3.org/community/ld4lt>
>>> Homepage: http://aksw.org/SebastianHellmann
>>> Research Group: http://aksw.org
>>
>>
>> -- 
>> Regards,
>>
>> Kingsley Idehen       
>> Founder & CEO 
>> OpenLink Software   
>> Home Page: http://www.openlinksw.com
>> Community Support: https://community.openlinksw.com
>> Weblogs (Blogs):
>> Company Blog: https://medium.com/openlink-software-blog
>> Virtuoso Blog: https://medium.com/virtuoso-blog
>> Data Access Drivers Blog: https://medium.com/openlink-odbc-jdbc-ado-net-data-access-drivers
>>
>> Personal Weblogs (Blogs):
>> Medium Blog: https://medium.com/@kidehen
>> Legacy Blogs: http://www.openlinksw.com/blog/~kidehen/
>>               http://kidehen.blogspot.com
>>
>> Profile Pages:
>> Pinterest: https://www.pinterest.com/kidehen/
>> Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
>> Twitter: https://twitter.com/kidehen
>> Google+: https://plus.google.com/+KingsleyIdehen/about
>> LinkedIn: http://www.linkedin.com/in/kidehen
>>
>> Web Identities (WebID):
>> Personal: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i
>>         : http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
>>
> -- 
> All the best,
> Sebastian Hellmann
>
> Director of Knowledge Integration and Linked Data Technologies (KILT)
> Competence Center
> at the Institute for Applied Informatics (InfAI) at Leipzig University
> Executive Director of the DBpedia Association
> Projects: http://dbpedia.org, http://nlp2rdf.org,
> http://linguistics.okfn.org, https://www.w3.org/community/ld4lt
> <http://www.w3.org/community/ld4lt>
> Homepage: http://aksw.org/SebastianHellmann
> Research Group: http://aksw.org


-- 
Regards,

Kingsley Idehen       
Founder & CEO 
OpenLink Software   
Home Page: http://www.openlinksw.com
Community Support: https://community.openlinksw.com
Weblogs (Blogs):
Company Blog: https://medium.com/openlink-software-blog
Virtuoso Blog: https://medium.com/virtuoso-blog
Data Access Drivers Blog: https://medium.com/openlink-odbc-jdbc-ado-net-data-access-drivers

Personal Weblogs (Blogs):
Medium Blog: https://medium.com/@kidehen
Legacy Blogs: http://www.openlinksw.com/blog/~kidehen/
              http://kidehen.blogspot.com

Profile Pages:
Pinterest: https://www.pinterest.com/kidehen/
Quora: https://www.quora.com/profile/Kingsley-Uyi-Idehen
Twitter: https://twitter.com/kidehen
Google+: https://plus.google.com/+KingsleyIdehen/about
LinkedIn: http://www.linkedin.com/in/kidehen

Web Identities (WebID):
Personal: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i
        : http://id.myopenlink.net/DAV/home/KingsleyUyiIdehen/Public/kingsley.ttl#this
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Monday, 4 March 2019 01:11:59 UTC