WebID-ISSUE-21: Temporally Weak URI Ownership [WebID Spec]

WebID-ISSUE-21: Temporally Weak URI Ownership [WebID Spec]


Raised by: Nathan Rixham
On product: WebID Spec

A fundamental element of the WebID protocol, if not the purpose of the protocol, is to establish a URI which can be used as a name (identifier) for the Identifying Agent.

The authorized use of a WebID URI by an Identifying Agent is deemed (by the conceptual protocol) to be established by proving ownership of a token, and then verifying the presence of that token in a representation received by dereferencing the WebID URI.

The realization of this element is currently defined by the use of Public/Private Key pairs, the public key is used as a token, ownership of that token is confirmed by passing the public key in a certificate as part of the TLS authentication flow (where ownership of the corresponding private key is proven), when the WebID is dereferenced the presence of the public key in the representation is verified, and the authorized use of that WebID URI is established.

The use of Public Keys in this manner proves to be temporally weak, in that it only establishes that the key pair holder /had/ write access to the WebID resource at some point in the past, the key pair may since have been stolen, or the machine running the identifying agent may have been compromised.

WebID protocol as it stands, does not make any provision for establishing that an identifying agent still has write access to the WebID resource.

Such provision could be made by swapping, or augmenting, the use of key pairs, with one time tokens - or by some other method.

"WebID resource" is used in this case to refer to the agent which responds to dereferencing requests on the "WebID URI".

Received on Tuesday, 1 February 2011 10:45:34 UTC