Re: Web ID as passwordless authentication for debian web services
Quoting Russ Allbery (2013-05-16 20:40:24)
> Jonas Smedegaard <dr@jones.dk> writes:
> > Quoting Russ Allbery (2013-05-16 18:37:06)
>
> >> but it's not clear to me why we'd bother as opposed to just issuing
> >> client X.509 certificates with the metadata already included.
>
> > Because the very separation of identifiers from the identified makes
> > the identifiers usable to reliably semantically express Web of Data.
>
> > http://linkeddata.org/
>
> Could you explain this in more concrete terms? I'm at a loss to
> understand what this means, and the web site wasn't horribly helpful.
Please see my other post where I try draw a parallel to government
passports used for PGP keysigning.
> A certificate constitutes a public key, signatures on that public key,
> some metadata about the certificate itself (such as acceptable usage
> for that certificate), and metadata about the entity identified by
> that certificate.
>
> The URI pointed to by a WebID certificate contains the public key of
> the certificate and metadata about the entity identified by the
> certificate.
>
> They're both functionally the same thing, except the certificate
> carries more information (such as usage information for the
> certificate) and has a better-understood security model. I know how
> to validate that the metadata is correctly bound to the certificate;
> to do the same operation with WebID, I have to think harder about the
> security model in place.
>
> I can understand why you may want to externalize the metadata if you
> have no control over the certificate creation process and therefore
> can't put metadata directly in it. I don't understand what you gain
> (other than complexity) by externalizing the metadata if you *do*
> control the certificate generation process. A certificate can hold
> whatever structured data you want, including URIs, structured XML,
> JSON objects, etc., and that data is authenticated and
> integrity-protected via well-understood existing security protocols
> without having to invent something new.
>
> What am I missing?
I think you are missing the potential for third-parties to make use of
identifiers without needing authentication.
Without WebID, Debian stores internally the knowledge that "we have a
user js" corresponding to a means for me to authenticate that "I am the
js @ Debian".
With WebID, Debian publishes that "we have a user js" both corresponding
to a means for me to authenticate that "I am the js @ Debian" and others
to refer to "the js @ Debian".
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
Reply to: