Re: WebID as passwordless authentication for debian web services
Hi.
Thanks for your valuable feedback.
Russ Allbery <rra@debian.org> writes:
> Olivier Berger <olivier.berger@it-sudparis.eu> writes:
>> Russ Allbery <rra@debian.org> writes:
>
>> May I suggest you forward this to the WebID list so that more informed
>> experts can react ? This seems a very interesting problem, and certainly
>> not Debian-related (I could forward your message, but it may be better
>> if you're posting directly, just let me know).
>
> I'm happy for anything I wrote on this thread to be forwarded to anyone
> who is interested, but I'm afraid I don't have time at the moment to
> follow another mailing list or get too much deeper into the discussion
> than I have already, sadly.
>
ACK. For the records, I've forwarded your message to the webid list (see
[0]).
SNIP
>> I've not though alot about this before, so maybe I'm overlooking other
>> details, but I think the use of the GPG signature of the FOAF document
>> may help overcome some of the weaknesses that you explained wrt ensuring
>> the FOAF retrieved is indeed the one that is supposed to be bound to the
>> SSL cert.
>
> Oh, absolutely. If you are in a position to verify PPG signatures from
> the user, you can of course use PGP as the authentication method, at which
> point you don't need to trust anything other than PGP. The problem, of
> course, is that this too just moves the authentication problem, this time
> to the PGP world. You still need to establish the trust chain, since
> anyone can make a GnuPG key claiming to be for a particular person.
> (Someone created a bogus key for me, for example.)
>
We do verify such trust chains every day for db.debian.org AFAIU (and of
course for uploads)... so provided a GPG public key is in our keyrings,
it can be used to "certify" a WebID document, by verifying that it has
been signed by the correct GPG key, right ?
So, if I'm not trying to think too far of potential abuses, in pratical
terms, my understanding is that we may use WebID + TLS for Debian,
provided that we only trust FOAF/WebID documents signed with GPG by
Debian participants which would have been registered in a DB of ours as
allowing the use of a (remote) WebID, such registration being made with
the same GPG key's signature (for instance using the mail gateway of
db.debian.org).
Then such WebID could be trusted by Debian to provide meta-data about
the Debian project member, and could be used to authenticate to Debian
servers in a password-less way, using their associated TLS cert.
Of course, every time the FOAF document is retrieved again, its
signature should be checked again.
So we base ourselves on the GPG WoT to initiate the acknowledgement of
some legit WebID and from then on benefit both from the Linked Data
approach in managing identity, and from the ease of use of browser-based
TLS negociation for password-less single sign-on, etc.
I've been thinking of different security checks that could be performed
to make sure there's no abuse of identity possible, but it is hard to do
a security analysis on such processes and I'm by far an expert in such
domains.
My understanding is that once a Debian member has signed a document and
made that document and its GPG signature available at a URL and that a
Debian server can fetch it at that same URL, and verify it is signed by
him/her (he/she's in the keyring), that's enough Debian has to care of
whether this document describes the "right" identity. If I have been
abused in signing such a WebID and it references another person's email
(or TLS cert) for instance, then there's not much Debian servers may
do... but warn me, maybe ?
Next step: implement a PoC targeting a demo at DebConf (I've registered
a proposal for a BoF in pentabarf, needing to be completed, but that's
already a placeholder for discussion in Le Camp) ?
[0] http://lists.w3.org/Archives/Public/public-webid/2013May/0040.html
--
Olivier BERGER
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: