Re: Web ID as passwordless authentication for debian web services

To: debian-devel@lists.debian.org
Subject: Re: Web ID as passwordless authentication for debian web services
From: Russ Allbery <rra@debian.org>
Date: Thu, 16 May 2013 08:42:20 -0700
Message-id: <[🔎] 87r4h7kk2r.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20130516102031.29499.62330@bastian.jones.dk> (Jonas Smedegaard's message of "Thu, 16 May 2013 12:20:31 +0200")
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 20130506070543.GE25004@x230-buxy.home.ouaza.com> <[🔎] 87haif7vkv.fsf@gkar.ganneff.de> <[🔎] 20130507062252.GA32129@x230-buxy.home.ouaza.com> <[🔎] 87haibnb9y.fsf@windlord.stanford.edu> <[🔎] 8738tpwxtk.fsf@inf-8657.int-evry.fr> <[🔎] 20130514140321.23166.32356@bastian.jones.dk> <[🔎] 5193133C.7050506@fifthhorseman.net> <[🔎] 87li7fy6am.fsf@poker.hands.com> <[🔎] 51949F6F.3010700@debian.org> <[🔎] 20130516102031.29499.62330@bastian.jones.dk>

Jonas Smedegaard <dr@jones.dk> writes:

> This seems similar as WebID: In principle ties to HTTPS - and therefore 
> the CA cartel - is only optional (other URIs than http ones suffice).  
> In reality alternatives to HTTP(S) is work in progress.

Changing the protocol doesn't help you get away from the CA dependency.
The reason why there's a CA dependency is not because it happens to use
the HTTPS protocol.  It's because you have to authenticate the provider of
identity data (the other end of the URI, whatever it may be) or you're
vulnerable to having the attacker intercept your query and supply whatever
data they want.  There's no way around that.

To get away from the CA model, WebID is going to have to introduce another
authentication system to verify the other end of the URI, not just another
protocol.  And there aren't a lot of protocols out there for doing that
sort of distributed, federated authentication other than X.509 and the CA
model.

You could, in theory, switch to DNSSEC, but now you're just replacing one
CA cartel with another.

In theory, you could use the PGP web of trust instead, but bear in mind
that the security model of WebID is based on validating the URI endpoint
rather than the user.  URI end points generally don't have PGP keys, nor
are they generally part of the PGP web of trust, so there's a bit of a
bootstrapping problem there.

To a large extent, the practical effect of WebID is that it's a way of
substituting one authentication system for another.  The problem that it's
trying to solve is that user key distribution and key verification is
hard, so it allows the user to bind their key to a URI and the server to
verify that the URI and the key are bound by retrieving the URI.  In
essence, this moves the authentication problem from user authentication to
URI endpoint authentication, under the theory that we already know how to
validate URI endpoints and that such validation is an easier problem.  If
you don't agree with the assertion that we already know how to validate
URI endpoints (which is the source of the objections to trusting the CA
cartel), WebID looks to me like it basically falls apart from a security
standpoint.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Web ID as passwordless authentication for debian web services
  - From: Simon McVittie <smcv@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Jonas Smedegaard <dr@jones.dk>

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Developer repositories for Debian
  - From: Olivier Berger <obergix@debian.org>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>
- Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Philip Hands <phil@hands.com>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Stéphane Glondu <glondu@debian.org>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Jonas Smedegaard <dr@jones.dk>

Prev by Date: Re: Debian development and release: always releasable (essay)
Next by Date: Re: Debian development and release: always releasable (essay)
Previous by thread: Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
Next by thread: Re: Web ID as passwordless authentication for debian web services
Index(es):
- Date
- Thread