[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web ID as passwordless authentication for debian web services

Hi again.

Russ Allbery <rra@debian.org> writes:

> I can understand why you may want to externalize the metadata if you have
> no control over the certificate creation process and therefore can't put
> metadata directly in it.  I don't understand what you gain (other than
> complexity) by externalizing the metadata if you *do* control the
> certificate generation process.  A certificate can hold whatever
> structured data you want, including URIs, structured XML, JSON objects,
> etc., and that data is authenticated and integrity-protected via
> well-understood existing security protocols without having to invent
> something new.
>

I'm not sure, but I seem to recall that it was quite hard to make sure
the SSL certs could store extended attributes, and that the "hack" of
using "Subject Alternative Name" to place a URI there (pointing to the
FOAF) was the one fortunnate discovery that rendered this usable in
practice.

Maybe what's true for X590 certs generation in the CA context where you
can basically (hope) to put as much meta-data in there is different from
the time when a HTTPS server requires a client cert generation to the
requesting browser, where only a minimal set of meta-data is accepted by
the browser crypto engines in the generation query ?

> What am I missing?
>
> I suppose one thing that I could be missing is that, with a certificate,
> you have no privacy controls over what metadata you release.  Whatever you
> put in the certificate is visible to anyone who looks at the certificate.
> (Well, you could encrypt it and then distribute a separate key, but that's
> getting into pointless complexity.)  Whereas in theory your WebID endpoint
> could release different metadata depending on who asks.  

Indeed. My FreedomBox may refuse to share my profile with colleagues
whereas it may allow fellow debianers to get access, for instance
(reusing the example of my 3 identities in a previous post).

> But since WebID
> doesn't authenticate the entity asking for metadata, I'm not sure that's
> really what's going on.
>

It may, but this may not be covered by the standard, only by details of
implementation setup.

I think there are interesting chicken and egg / loops problems that can
be imagined.

WebID is not stabilized yet, in any case, and I may have overlooked
problems.

Maybe any further discussion not really related to debian per se
deserves a followup to the W3C working group for WebID ? ;)

My 2 cents again.

Best regards,
-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: