[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: WebID as passwordless authentication for debian web services

Olivier Berger <olivier.berger@it-sudparis.eu> writes:
> Russ Allbery <rra@debian.org> writes:

>> Oh, absolutely.  If you are in a position to verify PPG signatures from
>> the user, you can of course use PGP as the authentication method, at
>> which point you don't need to trust anything other than PGP.  The
>> problem, of course, is that this too just moves the authentication
>> problem, this time to the PGP world.  You still need to establish the
>> trust chain, since anyone can make a GnuPG key claiming to be for a
>> particular person.  (Someone created a bogus key for me, for example.)

> We do verify such trust chains every day for db.debian.org AFAIU (and of
> course for uploads)... so provided a GPG public key is in our keyrings,
> it can be used to "certify" a WebID document, by verifying that it has
> been signed by the correct GPG key, right ?

Oh, absolutely.  For Debian, it makes the most sense to use PGP as the
basis for authentication since PGP is the official authentication
mechanism of the project and is quite strong.

Debian is almost uniquely positioned to use PGP for user authentication.
We have one of the best PGP-based authentication systems that I've ever
seen.  Most other organizations don't have anywhere near as well-developed
of a PGP trust model.

> So, if I'm not trying to think too far of potential abuses, in pratical
> terms, my understanding is that we may use WebID + TLS for Debian,
> provided that we only trust FOAF/WebID documents signed with GPG by
> Debian participants which would have been registered in a DB of ours as
> allowing the use of a (remote) WebID, such registration being made with
> the same GPG key's signature (for instance using the mail gateway of
> db.debian.org).

Yes.  WebID + PGP signatures on the metadata would be a way (secure so far
as I can tell) to associate X.509 certificates to PGP keys and use those
certificates for authentication.

> My understanding is that once a Debian member has signed a document and
> made that document and its GPG signature available at a URL and that a
> Debian server can fetch it at that same URL, and verify it is signed by
> him/her (he/she's in the keyring), that's enough Debian has to care of
> whether this document describes the "right" identity.

I agree.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: