Re: RDFAuth: an initial sketch from Renato Golin on 2008-03-27 (semantic-web@w3.org from March 2008)

From: Renato Golin <renato@ebi.ac.uk>
Date: Thu, 27 Mar 2008 13:59:37 +0000
To: Story Henry <henry.story@bblfish.net>
CC: foaf-dev of a Friend <foaf-dev@lists.foaf-project.org>, Semantic Web <semantic-web@w3.org>
Message-ID: <47EBA849.8070004@ebi.ac.uk>
Hi Henry,


Story Henry wrote:
> 2. the server responds with either:
>    - some minimal information and a yet to be invented return code of 
> 207 PARTIAL INFORMATION

You can use the already existent 206 "Partial Content" for that, I guess.


>    - a 403 Forbidden

401 "Authentication required" will trigger some form of authentication 
on normal browsers (such as htaccess).


>    In either case a header returning some information regarding the type 
> of authentication required is sent back

via WWW-Authenticate header...


> 3. the client sends a GET back with some header information:
>    - the URL of Romeo <http://romeo.name/#romeo>
>    - an encrypted string (perhaps a string sent in the previous response)

A three-way challenge response would be nice here...

1. Romeo gets random text + hash from romeo's
2. Romeo encrypts text with private key and send to juliette's with hash
3. Juliette's sends hash to romeo's and gets text + public key
4. Juliette's decrypts text and compare with romeo's text

The key could be in a public key server though.


> 4. The server controlling Juliette's foaf doc sends a GET request to the 
> foaf file
> 5. The server controlling Romeo's foaf doc returns his foaf file, in any 
> number of formats, or perhaps even a GRDDLable document the server can 
> understand,  containing a link to one of his public pgp keys

You're not taking into account that Romeo might not want Juliette to 
access his foaf file too... I he doesn't you got caught in a deadlock.

The auth scheme should never rely on foaf files, it must be completely 
independent of them because it's a step before actually getting foaf 
files in the first place.


> 7. Juliette uses the answer in 6 to GET the PGP key.
>    (what to do if someone has more that one PGP key?)

Try all of them in descending order of creation time.



> 8. Romeo's server returns the PGP key

Easier to get them from public servers... keeping a list of all trusted 
public servers on Juliette's.



> 9. Juliette's server uses the public key to decrypt the string passed in 
> 3. Having done this Juliette's server now knows that the request in 3 came
>    from software owned by <http://romeo.name/#romeo>.

Passing the same string as before doesn't show that you are romeo, but 
getting the string from a trusted place (like romeo's server) and 
comparing to what "the guy that says he's romeo" encripted with romeo's 
private key might.


> 10. Juliette's server after consulting her policies for 
> <http://romeo.name/#rome>, returns the appropriate response;  a 200 
> perhaps with a fuller foaf file. Perhaps something else needs to be 
> returned, a token to give access to a number of resources (expressed in 
> POWDER perhaps).

You're not dealing with multiple levels of security. You can follow the 
Unix style of groups or hierarchy or even per-person style (very user 
unfriendly) but would be good to say which resources from which files 
each user/group/level might be able to access.



> Some thoughts that just arose from going through the exercise of 
> specifying each of the steps precisely:
>  - what kind of response should be returned in 2? Should this redirect 
> to an authentication server perhaps which would then return some token 
> to give access to all the resources in a domain?

  - 401 if you haven't authenticated
  - 206 if you have and is not Juliette (or someone she trusts 
completely to give full access)
  - 200 else


>  - What about multiple  pgp keys?

Try all, although that would lead to a DOS if one creates hundreds of 
keys just for the sake of killing your server. Even restraining by time 
or only re-reading if the email is different you can still DOS by 
creating hundreds of emails on your own domain in the last 10 minutes.

I say we should restrict the number and if the user have a problem with 
that he should specify the key server as an additional parameter (HTTP 
header) to get from where he knows he have less than N keys where N 
should be *really* small (say 5 or 10). If he still have problems he 
should clean his pgp keys. ;)

my 2 cents...

cheers,
--renato
Received on Thursday, 27 March 2008 14:00:20 UTC