Re: WebID as passwordless authentication for debian web services

To: debian-devel@lists.debian.org
Subject: Re: WebID as passwordless authentication for debian web services
From: Simon McVittie <smcv@debian.org>
Date: Fri, 17 May 2013 18:17:42 +0100
Message-id: <[🔎] 51966636.6000309@debian.org>
In-reply-to: <[🔎] 87ehd5r2b3.fsf@inf-8657.int-evry.fr>
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 20130506070543.GE25004@x230-buxy.home.ouaza.com> <[🔎] 87haif7vkv.fsf@gkar.ganneff.de> <[🔎] 20130507062252.GA32129@x230-buxy.home.ouaza.com> <[🔎] 87haibnb9y.fsf@windlord.stanford.edu> <[🔎] 8738tpwxtk.fsf@inf-8657.int-evry.fr> <[🔎] 20130514140321.23166.32356@bastian.jones.dk> <[🔎] 87k3n14i5f.fsf@windlord.stanford.edu> <[🔎] 87fvxm9f5d.fsf@inf-8657.int-evry.fr> <[🔎] 87txm1d328.fsf@windlord.stanford.edu> <[🔎] 87ehd5r2b3.fsf@inf-8657.int-evry.fr>

On 17/05/13 17:36, Olivier Berger wrote:
>> The only way to prevent this attack in WebID that I see is to either do
>> leap-of-faith permanent caching [...] or
>> to secure the connection to my identity URI.
> 
> I wonder how OpenID, for instance, is supposed to resist to such
> attacks, in comparison...

It's basically the same, but with less social expectation of https. If
your OpenID identity URL is http, a relying party (e.g. the blog you're
commenting on) can be MitM-attacked and there's nothing you can do about
it; if your OpenID identity URL is https, it has to rely on the PKIX
(the CA cartel), or some sort of CA-replacement like Convergence, to
detect/avoid MitM.

By way of context, OpenID originated on Livejournal as a way to have
federation between blogging platforms (e.g. other sites running the
Livejournal codebase). At the time, https was considered sufficiently
expensive that LJ didn't even use it to secure login, let alone normal
browsing. OpenID's original threat model was "stop people not on my
friends list from reading what I blog about them", not "stop the US
government from reading my secrets".

    S

Reply to:

Follow-Ups:
- Re: WebID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Developer repositories for Debian
  - From: Olivier Berger <obergix@debian.org>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Developer repositories for Debian
  - From: obergix@debian.org
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: WebID as passwordless authentication for debian web services
  - From: Olivier Berger <olivier.berger@it-sudparis.eu>

Prev by Date: Re: /bin/sh
Next by Date: Re: WebID as passwordless authentication for debian web services
Previous by thread: Re: WebID as passwordless authentication for debian web services
Next by thread: Re: WebID as passwordless authentication for debian web services
Index(es):
- Date
- Thread