[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
On 03/09/2011 06:11 PM, Melvin Carvalho wrote:
> Traditionally we've always 'self signed' our WebID certificates. So
> there's no CA that needs to be in the loop. In fact, I dont know of
> any instance WebID has *ever* been used with a CA, but I suppose it is
> possible too. :)
For plain http:// URL WebIDs, there is no CA in the loop; but plain
http:// WebIDs are vulnerable to a pretty trivial attack by someone with
reasonable control of the network -- all they need to do is forge DNS or
intercept traffic to convince the server doing a backhaul lookup that
the client's presented WebID cert is legit. This level of vulnerability
to an attacker in control of the network doesn't seem to meet the
standards i'd hope for a robust, freedom-preserving scheme.
So that leaves https:// WebIDs, which in turn need some sort of
certificate validation. I'm pretty sure that any WebID that points to
an https:// URL relies on the CA cartel to validate the backhaul
connection, in the current implementations, no? Either the certificate
validation is not happening (in which case the scheme is vulnerable to
an attacker in control of the network again), or the certificate
validation relies on some set of CAs.
I'm happy that WebID is trying to sidestep the CA cartel for end-user
certificates. But it seems to rely on either (a) centralized,
cryptographically-guaranteed DNS (DNSSEC) or (b) the CA cartel to
validate the server-side certificates (or both). Both of these options
leave a handful of fairly unaccountable middlemen with the ability to
perform denial of service attacks on end user identities and even
I'd love to hear suggestions for improving the scheme to be resistant to
these middlemen, but i don't think i've heard any of them yet.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature