[Debwebid-discuss] Web ID as passwordless authentication for debian web services

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Sep 14 06:45:52 UTC 2013 

Hi Oliver--

Sorry it's taken me a while to process this message -- i've been very
bad at dealing with a large backlog :(

I haven't thought through the bigger picture of whether this mixture of
WebID and OpenPGP is a good idea or not, but let me address the
technical angle first.

On 08/28/2013 05:08 AM, Olivier Berger wrote:

> Basically, in the same way as a X590 cert points with the subjectAltName
> to a URI of a WebID document, I'd like my pubkey to point to such a URI.

I think there are two straightforward strategies to do this:

 0) add a separate UserID that is exactly the WebID URI.  OpenPGP
UserIDs are just UTF-8 strings, so they should be able to encode a URI
without any trouble.

 1) declare a new OpenPGP notation (within a domain under your control)
and indicate that this notation is the author's webID or other RDF data.
 Then the key holder would add this notation subpacket to their
self-signatures (that is, to the signature packets they make over their
primary key plus their own normal User IDs)

The differences between these two approaches are in how third-party
certifications would address the WebID.

With proposal 0, an outside party can either sign off on the keyholder's
WebID.  If you like this, it's worth asking yourself what it means to
ask someone to make this certification.  normally, when someone makes an
identity certification, they want to verify that identity somehow
beforehand (e.g. checking gov't documents, using caff to send an
encrypted e-mail to the e-mail address, etc).  how can someone make that
decision?

Alternately, with proposal 1, it is the keyholder who asserts their
WebID, and the external certifiers just certify normal UserIDs as usual.
 In this case, the keyholder can change their WebID if they want to
without invalidating the signatures they have already collected on the key.

Overall, i think i favor proposal 1, but like i said i haven't thought
through all the consequences.  What do you think?

> I've then tried to embed a RDF triple pointing to the WebID URI inside a
> QR code image, that I can then add as a (preferaby not primary) photo ID
> in my pubkey (see a description of my experiment and some comments at [0]).

yikes!  this sounds like a very complicated approach, and one that
raises all kinds of questions around certification and data content.
we're already working with machine-readable data, and with
human-readable data.  introducing a QR-code in a graphic image just
sounds like it's asking for trouble.

There are lots of other sneaky ways to tuck data away into user
attributes and the like (e.g. JPEG exif metadata), but i don't think
that's a sane way to approach something that you want to be
comprehensible to other humans.

> I think this may be a way to allow some use of WebID, relying on the
> Debian OpenPGP web of trust, and not necessarily on client certs. Of
> course, a WebID could then be bound to both an OpenPGP key and a X509
> cert.

I think it's worth pointing out here that OpenPGP certs *are* client
certs.  They can also be server certs, or e-mail certs, or data
attestation certs, or any number of other uses.

> Btw, I've just created a ML (in CC:) on alioth to serve for future
> discussions about WebID in Debian, as a followup of the WebID BoF that
> occurred at DebConf (gently moderated by Jonas, as I couldn't make it to
> Le Camps). Feel free to join ;)

Joined, thanks.  I think we can follow up there and then drop the other
Cc's.

Curious to hear your thoughts,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/debwebid-discuss/attachments/20130914/fa5bdab6/attachment.sig>

More information about the Debwebid-discuss mailing list