[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web ID as passwordless authentication for debian web services

Quoting Russ Allbery (2013-05-16 19:57:59)
> Jonas Smedegaard <dr@jones.dk> writes:
> > Quoting Russ Allbery (2013-05-16 17:42:20)
> >> Jonas Smedegaard <dr@jones.dk> writes:
> 
> >>> This seems similar as WebID: In principle ties to HTTPS - and 
> >>> therefore the CA cartel - is only optional (other URIs than http 
> >>> ones suffice).  In reality alternatives to HTTP(S) is work in 
> >>> progress.
> 
> > First of all: Thanks for your quite easy to follow 
> > explanation/reasoning!
> 
> Thanks -- I just hope I'm not projecting false confidence when I don't 
> actually know what I'm talking about!  :) This should all come with 
> the caveat that while I've worked on authentication systems for some 
> years, I've only done a cursory evaluation of WebID, and there may be 
> solutions to the weaknesses that I was glimpsing.

Someone great at explaining with a clue about authentication in general 
but new to WebID is *exactly* what I find valuable here!


> > I believe that with WebID I can get rid of the CA *cartel* while 
> > still reliably using TLS: By using a server cert from same key 
> > material as a PGP key, I can (contrary to a self-signed cert) verify 
> > that the cert is not being handed by a man in the middle (e.g. using 
> > Monkeysphere).
> 
> Sure, but if you have control over the server certificate and are 
> tying the server certificate to the user certificate via some 
> mechanism like Monkeysphere, why do the whole indirection dance 
> through a URI at all?

Because when identifier is a URI then it is reusable for other purposes 
than authentication.

For PGP keysigning, a common way to "authenticate" is to look at a
passport or drivers license.  But we cannot really authenticate that 
way.

In airports when showing a passport, it is matched against a centralized 
database.  The government issuing the passports also provides ways for 
police and other governmental appointed people to authenticate 
passports.

...but noone else are allowed access to those centralized databases.

Imagine if governments separated the identifier from the key (the 
passport with its biometrics and/or photo).  Publishing the way to 
verify the key would have no benefit for governmental use, but would 
allow *others* than governments to more reliably use passports as ways 
to identify.


Hope that makes sense - even if I fear I am being clumsy and confusing 
"identify" and "authenticate" at several places.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
Reply to: