Re: Web ID as passwordless authentication for debian web services
Russ Allbery <rra@debian.org> writes:
> So, again, it comes down to what problem we're trying to solve. If the
> problem is just how do we authenticate Debian contributors to Debian
> systems, then we're actually in the institutional case and we don't have
> to trust anyone outside the project: we can deploy our own central
> authentication system -- a CA, a Kerberos KDC, or any other authentication
> system of choice -- and have all parties trust it, and that will be much
> simpler and much easier to analyze than any of the distributed models.
> Once we have our own CA, we could of course do secure WebID if we wanted
> to using that CA (modulo the inherent dubiousness of substituting endpoint
> authentication for user authentication), but it's not clear to me why we'd
> bother as opposed to just issuing client X.509 certificates with the
> metadata already included.
>
By decoupling the Identity descriptors (meta-data in the WebID
resources) from X509 certs (potentially generated localy and
self-signed), you may have several identifiers for a single auth token,
your TLS client cert.
This is one of the advantages of WebID that may be worth mentioning. The
fact that I'm in control of my identity (my WebID) is certainly key in a
world of delegated login systems relying on social network
operators. Debian (no more that FaceBook or my governement) doesn't have
to tell who I am, if I can write my own (master) profile with vi.
So Debian wouldn't need to issue certificates, if it trusts GPG signed
WebIDs, whereas other communities / employers / freedomboxes will have
other trust mechanisms, and you'll always use a single TLS cert to SSO
everywhere you want to be recognized.
Or maybe it's not that easy / beautiful ?
I tend to think that basing on a standard like RDF for meta-data
description also brings a lot of inherent interoperability compared of
kerberos, SAML or likes... but I'm no expert in auth system
interoperability.
I agree that the distributed aspect seem to imply increased complexity of
the trust verification...
I'm not sure I completely understand what we're trying to solve, and we
may only discover by trying / experimenting (serendipity), but I like
the idea that the same RDF Turtle documents I've hand written and GPG
signed could both be a basis for traceability of my contributions in
Debian and other communities (one aspect of Linked Data use for FLOSS
development artifacts traceability I'm researching) and for SSO to
forges and various Web tools of those communities
([mentors|whois|alioth].debian.org, etc.)...
I very much like such convergence : the profile *I* write (using a
standard semantic language), complemented by one published by the Debian
portal, complemented by others, and bound to a TLS cert *I* generated,
is all I need for many things in this distributed (Web) world, provided
I have established links with the GPG WoT... The GPG isn't Linked Data
so it's not all pure Semantic Web, so it's not (yet) perfect, but we're
getting closer ;-)
I may just be dreaming too much of silver bullets ? ;)
Hope this makes sense anyhow.
Best regards,
--
Olivier BERGER
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: