Limit public keys and SAN entries? (was Re: Updated IdP to new spec.) from Stéphane Corlosquet on 2011-11-29 (public-xg-webid@w3.org from November 2011)

From: Stéphane Corlosquet <scorlosquet@gmail.com>
Date: Mon, 28 Nov 2011 21:05:06 -0500
To: Peter Williams <home_pw@msn.com>
Cc: andrei@fcns.eu, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <CAGR+nnFPzJQFZNBGKhS--nD-4f=TXe6sQV7uvvP=6zH2LVRm3w@mail.gmail.com>
Hi Peter,

On Mon, Nov 28, 2011 at 8:39 PM, Peter Williams <home_pw@msn.com> wrote:

>
>
> I vote we impose a limit of one, but that the text says... a future
> version of the standard will very likely reconsider this limit, as user
> experience is gained.
>

I'm assuming you are talking about public keys of a given WebID profile?
That won't for multi browser support, unless you either manage to generate
certificates with the same pubkey in all your browsers, or you use a
separate WebID profile for each browser.


>
>
> Similarly, I vote that the hexbinary format of the modulus in a webid
> profile should be required to be only lower-case hex digits (rather than
> free form).
>
>
> I'm tempted to suggests that only 1 URI be permitted in the cert too, with
> similar language about the strong likelihood of this changing as
> anticipated needs actually materialize.
>

Have you considered the reasons for allowing multiple SANs? [1] (there are
more) What's your reasoning for limiting it to one? I recall you had some
limitation from your library? Surely that is not the only reason I hope.

Steph.

[1] http://www.w3.org/2005/Incubator/webid/track/issues/1


>
>
>
> ________________________________
> > Date: Tue, 29 Nov 2011 00:18:23 +0100
> > From: andrei@fcns.eu
> > To: public-xg-webid@w3.org
> > Subject: Re: Updated IdP to new spec.
> >
> > Hi Kingsley,
> >
> > Yeah, it looks like I forgot to limit the test for the number of public
> > keys a foaf profile can have. Maybe we can have a formal discussion on
> > this subject.
> >
> > What would be a "best practice" in this case?
> >
> > How many keys can we have in a single profile, so that it will not look
> > like a DoS attack?
> >
> > Andrei
> >
> >
> > On 11/28/11 22:01, Kingsley Idehen wrote:
> > Andrei,
> >
> > Output from testing a latest WebID from our generator [1][2] against
> > your verifier. I notice you scan all six of the public key relations in
> > my graph. What happens it there were more? Wouldn't your system
> > timeout? Luckily I cleaned out the 30+ relations I had prior to this
> > test. What about performing an explicit lookup?
> >
> >
> > * Checking ownership of certificate (public key matches private
> > key)... PASSED (Reason: GENEROUS)
> >
> > * Checking if certificate contains URIs in the subjectAltName field...
> PASSED
> >
> > * Found 1 URIs in the certificate (a maximum of 3 will be tested).
> >
> > * Checking URI
> > 1 (http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this)...
> > - Trying to fetch and process certificate(s) from webid profile...
> > Testing if the modulus representation matches the one in the
> > webid (found a modulus value)...
> >
> > Testing modulus... - FAILED
> > WebID=f4990925e526be2.......a5c172d91fafa01
> > Cert =994d0067dd21021.......ca1e663983345d3
> >
> > Testing if the modulus representation matches the one in the
> > webid (found a modulus value)...
> >
> > Testing modulus... - FAILED
> > WebID=c9cbdde371ea987.......c3d4e28dfe27423
> > Cert =994d0067dd21021.......ca1e663983345d3
> >
> > Testing if the modulus representation matches the one in the
> > webid (found a modulus value)...
> >
> > Testing modulus... - FAILED
> > WebID=d633f04252a9b3f.......e719cb59227d8a7
> > Cert =994d0067dd21021.......ca1e663983345d3
> >
> > Testing if the modulus representation matches the one in the
> > webid (found a modulus value)...
> >
> > Testing modulus... - FAILED
> > WebID=db0aec1b33f4909.......8ea627df06f60b3
> > Cert =994d0067dd21021.......ca1e663983345d3
> >
> > Testing if the modulus representation matches the one in the
> > webid (found a modulus value)...
> >
> > Testing modulus... - FAILED
> > WebID=cd3ff1569dc66df.......e3ab848cfccd1e7
> > Cert =994d0067dd21021.......ca1e663983345d3
> >
> > Testing if the modulus representation matches the one in the
> > webid (found a modulus value)...
> >
> > Testing modulus... PASSED
> > WebID=994d0067dd21021.......ca1e663983345d3
> > Cert =994d0067dd21021.......ca1e663983345d3
> >
> > Match found, ignoring futher tests!
> >
> > * Authentication successful!
> >
> >
> >
> >
> > Your certificate contains the following WebIDs:
> >
> > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this
> >
> > The WebID URI used to claim your identity is:
> >
> > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this
> > (your claim was SUCCESSFUL!)
> >
> > The WebID URL suffix (to be signed) for your service provider is:
> >
> > *
> > ?webid=
> http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this&ts=2011-11-28UTC20:53:50+00:00
> <
> http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this%26ts%3d2011-11-28UTC20%3a53%3a50+00%3a00
> >
> >
> > Unless both of those strings map to the same number, your
> > identification experience will vary across clients.
> >
> >
> >
> >
> > Your certificate in PEM format:
> >
> > -----BEGIN CERTIFICATE-----
> > MIIDlDCCAv2gAwIBAgICALAwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCVVMx
> > FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcUCkJ1cmxpbmd0b24xHjAc
> > BgNVBAoUFU9wZW5saW5rIFNvZnR3YXJlIEluYzEaMBgGA1UEAxQRaWQubXlvcGVu
> > bGluay5uZXQwHhcNMTExMTI4MjA1MDI4WhcNMTIxMTI3MjA1MDI4WjCBgzEtMCsG
> > A1UEAxMkS2luZ3NsZXkgVXlpIElkZWhlbiAoTXlPcGVuTGluayBOZXcpMSswKQYD
> > VQQKEyJPcGVuTGluayBTb2Z0d2FyZSAoTXlPcGVuTGluayBJZFApMSUwIwYJKoZI
> > hvcNAQkBFhZraWRlaGVuQG9wZW5saW5rc3cuY29tMIIBIjANBgkqhkiG9w0BAQEF
> > AAOCAQ8AMIIBCgKCAQEAmU0AZ90hAhmkSb6xhPIOpQ6ajKces9uLQl/1yPBW1PiK
> > VZxhfk9LILVGNZEdRcYk1B+Ejmzfo62hpo9u3Iu9RbVBjsNsy7DAWtqNkdnCq16p
> > P5gkuukObDMXmMLINCdgy0lMu9Mhg8E81Dy9wMInbGm85j9wkO3CCypN5E9WgAFu
> > GeEgV76AAfOjMWHS/quH21o1Hn7aM+MHts1UonGg6kpHupOY1/ERGBIc7KcIYuhm
> > cZj1/BmSQXHYdYsuHSd/c8d6DFjWKO/a3pdBhXVT6qTFTILEXwiy7xurj3RSrt57
> > jjgsqcJFd2XBRRXJIVLFi93arnHPxpEcoeZjmDNF0wIDAQABo4GeMIGbMB0GA1Ud
> > DgQWBBQQpXFH3GrJwhziRGoN6dvlFLF0fTBLBgNVHREERDBChkBodHRwOi8vaWQu
> > bXlvcGVubGluay5uZXQvZGF0YXNwYWNlL3BlcnNvbi9LaW5nc2xleVV5aUlkZWhl
> > biN0aGlzMC0GCWCGSAGG+EIBDQQgFh5WaXJ0dW9zbyBHZW5lcmF0ZWQgQ2VydGlm
> > aWNhdGUwDQYJKoZIhvcNAQEFBQADgYEAuL9WUixSviSQA6AeIoTguFbam7XA/med
> > eoPnQ13o0erjkAjui+5UBLIMzih4r6Ma/wMrO3HsmU3Zw9/jPyJd+sWXaeYdQOPt
> > 7S+rDHLoYJrafoWA1UORCp/HuOpB2JIdX4pxAO4tNKPQr29I2GdCu3RoTgVrkdNP
> > HrF0JktHuj0=
> > -----END CERTIFICATE-----
> >
> >
> >
> > Your certificate in text format:
> >
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 176 (0xb0)
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=US, ST=Massachusetts, L=Burlington, O=Openlink Software Inc,
> CN=id.myopenlink.net
> > Validity
> > Not Before: Nov 28 20:50:28 2011 GMT
> > Not After : Nov 27 20:50:28 2012 GMT
> > Subject: CN=Kingsley Uyi Idehen (MyOpenLink New), O=OpenLink Software
> (MyOpenLink IdP)/emailAddress=kidehen@openlinksw.com<mailto:IdP%29
> /emailAddress=kidehen@openlinksw.com>
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (2048 bit)
> > Modulus (2048 bit):
> > 00:99:4d:00:67:dd:21:02:19:a4:49:be:b1:84:f2:
> > 0e:a5:0e:9a:8c:a7:1e:b3:db:8b:42:5f:f5:c8:f0:
> > 56:d4:f8:8a:55:9c:61:7e:4f:4b:20:b5:46:35:91:
> > 1d:45:c6:24:d4:1f:84:8e:6c:df:a3:ad:a1:a6:8f:
> > 6e:dc:8b:bd:45:b5:41:8e:c3:6c:cb:b0:c0:5a:da:
> > 8d:91:d9:c2:ab:5e:a9:3f:98:24:ba:e9:0e:6c:33:
> > 17:98:c2:c8:34:27:60:cb:49:4c:bb:d3:21:83:c1:
> > 3c:d4:3c:bd:c0:c2:27:6c:69:bc:e6:3f:70:90:ed:
> > c2:0b:2a:4d:e4:4f:56:80:01:6e:19:e1:20:57:be:
> > 80:01:f3:a3:31:61:d2:fe:ab:87:db:5a:35:1e:7e:
> > da:33:e3:07:b6:cd:54:a2:71:a0:ea:4a:47:ba:93:
> > 98:d7:f1:11:18:12:1c:ec:a7:08:62:e8:66:71:98:
> > f5:fc:19:92:41:71:d8:75:8b:2e:1d:27:7f:73:c7:
> > 7a:0c:58:d6:28:ef:da:de:97:41:85:75:53:ea:a4:
> > c5:4c:82:c4:5f:08:b2:ef:1b:ab:8f:74:52:ae:de:
> > 7b:8e:38:2c:a9:c2:45:77:65:c1:45:15:c9:21:52:
> > c5:8b:dd:da:ae:71:cf:c6:91:1c:a1:e6:63:98:33:
> > 45:d3
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Subject Key Identifier:
> > 10:A5:71:47:DC:6A:C9:C2:1C:E2:44:6A:0D:E9:DB:E5:14:B1:74:7D
> > X509v3 Subject Alternative Name:
> > URI:http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this
> > Netscape Comment:
> > Virtuoso Generated Certificate
> > Signature Algorithm: sha1WithRSAEncryption
> > b8:bf:56:52:2c:52:be:24:90:03:a0:1e:22:84:e0:b8:56:da:
> > 9b:b5:c0:fe:67:9d:7a:83:e7:43:5d:e8:d1:ea:e3:90:08:ee:
> > 8b:ee:54:04:b2:0c:ce:28:78:af:a3:1a:ff:03:2b:3b:71:ec:
> > 99:4d:d9:c3:df:e3:3f:22:5d:fa:c5:97:69:e6:1d:40:e3:ed:
> > ed:2f:ab:0c:72:e8:60:9a:da:7e:85:80:d5:43:91:0a:9f:c7:
> > b8:ea:41:d8:92:1d:5f:8a:71:00:ee:2d:34:a3:d0:af:6f:48:
> > d8:67:42:bb:74:68:4e:05:6b:91:d3:4f:1e:b1:74:26:4b:47:
> > ba:3d
> >
> >
> > --
> >
> > Regards,
> >
> > Kingsley Idehen
> > Founder & CEO
> > OpenLink Software
> > Company Web: http://www.openlinksw.com
> > Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> > Twitter/Identi.ca handle: @kidehen
> > Google+ Profile: https://plus.google.com/112399767740508618350/about
> > LinkedIn Profile: http://www.linkedin.com/in/kidehen
> >
> >
> >
> >
> >
> >
>
Received on Tuesday, 29 November 2011 02:05:48 UTC