[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web ID as passwordless authentication for debian web services

Quoting Russ Allbery (2013-05-16 20:40:24)
> Jonas Smedegaard <dr@jones.dk> writes:
> > Quoting Russ Allbery (2013-05-16 18:37:06)
> 
> >> but it's not clear to me why we'd bother as opposed to just issuing 
> >> client X.509 certificates with the metadata already included.
> 
> > Because the very separation of identifiers from the identified makes 
> > the identifiers usable to reliably semantically express Web of Data.
> 
> > http://linkeddata.org/
> 
> Could you explain this in more concrete terms?  I'm at a loss to 
> understand what this means, and the web site wasn't horribly helpful.

Please see my other post where I try draw a parallel to government 
passports used for PGP keysigning.


> A certificate constitutes a public key, signatures on that public key, 
> some metadata about the certificate itself (such as acceptable usage 
> for that certificate), and metadata about the entity identified by 
> that certificate.
> 
> The URI pointed to by a WebID certificate contains the public key of 
> the certificate and metadata about the entity identified by the 
> certificate.
> 
> They're both functionally the same thing, except the certificate 
> carries more information (such as usage information for the 
> certificate) and has a better-understood security model.  I know how 
> to validate that the metadata is correctly bound to the certificate; 
> to do the same operation with WebID, I have to think harder about the 
> security model in place.
> 
> I can understand why you may want to externalize the metadata if you 
> have no control over the certificate creation process and therefore 
> can't put metadata directly in it.  I don't understand what you gain 
> (other than complexity) by externalizing the metadata if you *do* 
> control the certificate generation process.  A certificate can hold 
> whatever structured data you want, including URIs, structured XML, 
> JSON objects, etc., and that data is authenticated and 
> integrity-protected via well-understood existing security protocols 
> without having to invent something new.
> 
> What am I missing?

I think you are missing the potential for third-parties to make use of 
identifiers without needing authentication.

Without WebID, Debian stores internally the knowledge that "we have a 
user js" corresponding to a means for me to authenticate that "I am the 
js @ Debian".

With WebID, Debian publishes that "we have a user js" both corresponding 
to a means for me to authenticate that "I am the js @ Debian" and others 
to refer to "the js @ Debian".



 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
Reply to: