Re: Web ID as passwordless authentication for debian web services
Hi again.
Just in case it helps a bit more, let me forward you this message from
Andrei Sambra, a Debian user and WebID working group member (who's also
the developer of MyProfile, a "killer demo" service of WebID at [1]
- project/code at [0]).
Andrei read the thread an wanted to provide some feedback but isn't
subscribed to debian-devel@.
Hope this helps.
[0] http://myprofile-project.org/
[1] https://my-profile.eu/
Russ Allbery <rra@debian.org> writes:
> What am I missing?
>
> I suppose one thing that I could be missing is that, with a certificate,
> you have no privacy controls over what metadata you release. Whatever you
> put in the certificate is visible to anyone who looks at the certificate.
> (Well, you could encrypt it and then distribute a separate key, but that's
> getting into pointless complexity.) Whereas in theory your WebID endpoint
> could release different metadata depending on who asks. But since WebID
> doesn't authenticate the entity asking for metadata, I'm not sure that's
> really what's going on.
>
---- Forwarded ----
Andrei Sambra <andrei@fcns.eu> (12 mins. ago) (inbox)
Subject: WebID thread on Debian
To: Olivier Berger <olivier.berger@it-sudparis.eu>
Date: Fri, 17 May 2013 13:06:40 +0200
Hi! My name is Andrei Sambra and I am one of the WebID spec authors. I
would like to answer to some of the questions/worries that have been
mentioned in this thread, please allow me to explain WebID-TLS once more.
Among the useful things that WebID-TLS attempts to provide, the most
important one is that it decouples identity from authentication. WebID
is meant to allow users to bring with them a lot of useful attributes
regardless of the authentication method used during login. By doing so,
it allows services/applications to take advantage of a lot of useful
user data, in a completely decentralized environment. This is how we
usually avoid the "silo" paradigm - i.e. I don't want to have yet
another account with Debian in order to be able to maintain my packages;
I just want to login with my own identity, provided by my own identity
platform.
At this point, the proposed authentication method is based on client
certificates, which also takes advantage of TLS. I sympathise with you
and I understand why everyone hates client certificates given the
current state of CA trust, but even though WebID-TLS uses certificates,
it doesn't use them according to the standard CA chain trust model.
In WebID-TLS, certificates are _only_ used to verify cryptographic
claims, i.e. that the user trying to authenticate hold the private key
corresponding to a public key which he/she already published. Being a
distributed authentication protocol, it does not rely on verifying the
trust chain of CA signatures (that would be pointless as you will soon
discover).
Instead, WebID-TLS uses the WOT to build trust, in pretty much the same
way that GPG does it, only that in WebID we link to other people instead
of signing the keys. This has several advantages, among the most
important one being that keys (certificates) need not be persistent. One
creates and discards certificates as often as they need to, for whatever
reasons. Instead of putting the accent on the private key (as in the
case of GPG), WebID-TLS puts the accent on the user's profile document
which contains the user's WOT.
For GPG, loosing the private key can have disastrous implications, as it
takes time and effort (key signing parties) to rebuild the WOT. This is
no longer the case for WebID-TLS, since a certificate can be immediately
invalidated by removing its corresponding public key from the profile
document, while at the same time not affecting the WOT.
I hope I was able to clarify some things with this email. Please try to
give WebID another chance and go over the specs one more time. Here are
the links in case you've lost them.
WebID - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html
WebID-TLS - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
Best,
Andrei Sambra
--
Olivier BERGER
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: