Re: Web ID as passwordless authentication for debian web services

To: debian-devel@lists.debian.org, dkg@fifthhorseman.net
Subject: Re: Web ID as passwordless authentication for debian web services
From: Russ Allbery <rra@debian.org>
Date: Thu, 16 May 2013 11:40:24 -0700
Message-id: <[🔎] 87d2sqydif.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20130516182856.29499.68327@bastian.jones.dk> (Jonas Smedegaard's message of "Thu, 16 May 2013 20:28:56 +0200")
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 8738tpwxtk.fsf@inf-8657.int-evry.fr> <[🔎] 20130514140321.23166.32356@bastian.jones.dk> <[🔎] 5193133C.7050506@fifthhorseman.net> <[🔎] 87li7fy6am.fsf@poker.hands.com> <[🔎] 51949F6F.3010700@debian.org> <[🔎] 20130516102031.29499.62330@bastian.jones.dk> <[🔎] 87r4h7kk2r.fsf@windlord.stanford.edu> <[🔎] 519506ED.6030002@debian.org> <[🔎] 87li7ekhjh.fsf@windlord.stanford.edu> <[🔎] 20130516182856.29499.68327@bastian.jones.dk>

Jonas Smedegaard <dr@jones.dk> writes:
> Quoting Russ Allbery (2013-05-16 18:37:06)

>> but it's not clear to me why we'd bother as opposed to just issuing
>> client X.509 certificates with the metadata already included.

> Because the very separation of identifiers from the identified makes the
> identifiers usable to reliably semantically express Web of Data.

> http://linkeddata.org/

Could you explain this in more concrete terms?  I'm at a loss to
understand what this means, and the web site wasn't horribly helpful.

A certificate constitutes a public key, signatures on that public key,
some metadata about the certificate itself (such as acceptable usage for
that certificate), and metadata about the entity identified by that
certificate.

The URI pointed to by a WebID certificate contains the public key of the
certificate and metadata about the entity identified by the certificate.

They're both functionally the same thing, except the certificate carries
more information (such as usage information for the certificate) and has a
better-understood security model.  I know how to validate that the
metadata is correctly bound to the certificate; to do the same operation
with WebID, I have to think harder about the security model in place.

I can understand why you may want to externalize the metadata if you have
no control over the certificate creation process and therefore can't put
metadata directly in it.  I don't understand what you gain (other than
complexity) by externalizing the metadata if you *do* control the
certificate generation process.  A certificate can hold whatever
structured data you want, including URIs, structured XML, JSON objects,
etc., and that data is authenticated and integrity-protected via
well-understood existing security protocols without having to invent
something new.

What am I missing?

I suppose one thing that I could be missing is that, with a certificate,
you have no privacy controls over what metadata you release.  Whatever you
put in the certificate is visible to anyone who looks at the certificate.
(Well, you could encrypt it and then distribute a separate key, but that's
getting into pointless complexity.)  Whereas in theory your WebID endpoint
could release different metadata depending on who asks.  But since WebID
doesn't authenticate the entity asking for metadata, I'm not sure that's
really what's going on.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Web ID as passwordless authentication for debian web services
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Web ID as passwordless authentication for debian web services
  - From: Stéphane Glondu <glondu@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Olivier Berger <olivier.berger@it-sudparis.eu>
- Re: Web ID as passwordless authentication for debian web services
  - From: Olivier Berger <olivier.berger@it-sudparis.eu>
- Re: Web ID as passwordless authentication for debian web services
  - From: Olivier Berger <olivier.berger@it-sudparis.eu>

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Olivier Berger <obergix@debian.org>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>
- Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Philip Hands <phil@hands.com>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Stéphane Glondu <glondu@debian.org>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Jonas Smedegaard <dr@jones.dk>

Prev by Date: Re: Web ID as passwordless authentication for debian web services
Next by Date: Bug#708569: ITP: libmoosex-classattribute-perl -- module to declare class attributes Moose-style
Previous by thread: Re: Web ID as passwordless authentication for debian web services
Next by thread: Re: Web ID as passwordless authentication for debian web services
Index(es):
- Date
- Thread