Re: WebID error handling from Henry Story on 2020-01-21 (public-webid@w3.org from January 2020)

From: Henry Story <henry.story@gmail.com>
Date: Tue, 21 Jan 2020 12:49:45 +0100
To: Melvin Carvalho <melvincarvalho@gmail.com>, public-webid <public-webid@w3.org>
Cc: Martynas Jusevičius <martynas@atomgraph.com>
Message-Id: <7C018AAB-8FB3-4702-847D-4C42E2D6DB74@gmail.com>

> On 21 Jan 2020, at 12:34, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> 
> 
> 
> On Tue, 21 Jan 2020 at 12:14, Henry Story <henry.story@gmail.com> wrote:
> 
> 
> > On 21 Jan 2020, at 11:45, Martynas Jusevičius <martynas@atomgraph.com> wrote:
> > 
> > Hi,
> > 
> > Does WebID-TLS specify anything related to error handling? I am not
> > able to find anything in the spec.
> > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
> > 
> > Should a WebID that fails to verify (e.g. URI does not dereference)
> > throw an error or simply be ignored and treated as no authentication?
> > I am leaning towards the latter due to a potentially common failure
> > using localhost WebIDs (below).
> 
> I guess that in a way if the X509 Certificate is self-signed then
> the TLS connection succeeded (the private key was verified), but
> the WebID was not. 
> 
> If you send an error message back using the TLS channel then
> you can’t explain the problem. If you accept the the TLS 
> connection you can send an error message back along HTTP
> with an error code, but then you need to find a way to break
> the TLS session too.
> 
> > The thing with localhost WebIDs is that they can work on the same
> > host, but it will fail to dereference in any decentralized scenario.
> > Should WebID-TLS make a special mention of this?
> 
> Well that is a problem mostly for developers and there is no
> interoperability question there since every developer could
> do things differently without impacting the protocol.
> 
> The problem with TLS is that it does not fit well with HTTP2.0.
> There have been proposals to solve the client reconnection problem
> but I am not sure where they have lead to.
> 
> Im interested in the issues with HTTP2.0 / TLS
> 
> Any pointers?

Martin Thomson of Mozilla has been working on this problem
for the past 6 years or so. I looked around and just 
found this:

https://greenbytes.de/tech/webdav/draft-ietf-httpbis-http2-secondary-certs-05.html

It looks like they are trying to address these issues.
But I have only just glanced at this draft. 
By now it should be quite stable.

Henry Story


>  
> 
> Perhaps have a look also at a version that could use HTTP Signature.
> https://github.com/solid/authentication-panel/blob/master/HttpSignature.md
> Http Signature is now being considered by HTTP WG.
> 
> Henry Story
> 
> > 
> > Martynas
> > atomgraph.com
> > 
> 
>

Received on Tuesday, 21 January 2020 11:49:52 UTC