[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Web ID as passwordless authentication for debian web services

Hi again.

Just in case it helps a bit more, let me forward you this message from
Andrei Sambra, a Debian user and WebID working group member (who's also
the developer of MyProfile, a "killer demo" service of WebID at [1]
- project/code at [0]).

Andrei read the thread an wanted to provide some feedback but isn't
subscribed to debian-devel@.

Hope this helps.

[0] http://myprofile-project.org/
[1] https://my-profile.eu/

Russ Allbery <rra@debian.org> writes:

> What am I missing?
>
> I suppose one thing that I could be missing is that, with a certificate,
> you have no privacy controls over what metadata you release.  Whatever you
> put in the certificate is visible to anyone who looks at the certificate.
> (Well, you could encrypt it and then distribute a separate key, but that's
> getting into pointless complexity.)  Whereas in theory your WebID endpoint
> could release different metadata depending on who asks.  But since WebID
> doesn't authenticate the entity asking for metadata, I'm not sure that's
> really what's going on.
>

---- Forwarded ----
Andrei Sambra <andrei@fcns.eu> (12 mins. ago) (inbox)
Subject: WebID thread on Debian
To: Olivier Berger <olivier.berger@it-sudparis.eu>
Date: Fri, 17 May 2013 13:06:40 +0200

Hi! My name is Andrei Sambra and I am one of the WebID spec authors. I 
would like to answer to some of the questions/worries that have been 
mentioned in this thread, please allow me to explain WebID-TLS once more.

Among the useful things that WebID-TLS attempts to provide, the most 
important one is that it decouples identity from authentication. WebID 
is meant to allow users to bring with them a lot of useful attributes 
regardless of the authentication method used during login. By doing so, 
it allows services/applications to take advantage of a lot of useful 
user data, in a completely decentralized environment. This is how we 
usually avoid the "silo" paradigm - i.e. I don't want to have yet 
another account with Debian in order to be able to maintain my packages; 
I just want to login with my own identity, provided by my own identity 
platform.

At this point, the proposed authentication method is based on client 
certificates, which also takes advantage of TLS. I sympathise with you 
and I understand why everyone hates client certificates given the 
current state of CA trust, but even though WebID-TLS uses certificates, 
it doesn't use them according to the standard CA chain trust model.

In WebID-TLS, certificates are _only_ used to verify cryptographic 
claims, i.e. that the user trying to authenticate hold the private key 
corresponding to a public key which he/she already published. Being a 
distributed authentication protocol, it does not rely on verifying the 
trust chain of CA signatures (that would be pointless as you will soon 
discover).

Instead, WebID-TLS uses the WOT to build trust, in pretty much the same 
way that GPG does it, only that in WebID we link to other people instead 
of signing the keys. This has several advantages, among the most 
important one being that keys (certificates) need not be persistent. One 
creates and discards certificates as often as they need to, for whatever 
reasons. Instead of putting the accent on the private key (as in the 
case of GPG), WebID-TLS puts the accent on the user's profile document 
which contains the user's WOT.

For GPG, loosing the private key can have disastrous implications, as it 
takes time and effort (key signing parties) to rebuild the WOT. This is 
no longer the case for WebID-TLS, since a certificate can be immediately 
invalidated by removing its corresponding public key from the profile 
document, while at the same time not affecting the WOT.

I hope I was able to clarify some things with this email. Please try to 
give WebID another chance and go over the specs one more time. Here are 
the links in case you've lost them.

WebID - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html

WebID-TLS - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html

Best,
Andrei Sambra


-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: