[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
Henry Story
henry.story at bblfish.net
Thu Mar 10 21:27:55 UTC 2011
On 10 Mar 2011, at 21:53, Daniel Kahn Gillmor wrote:
> On 03/10/2011 02:54 PM, Henry Story wrote:
>> On 10 Mar 2011, at 19:44, Daniel Kahn Gillmor wrote:
>>> My question is how B validates the backhaul link. That is, how does B
>>> know that they are actually talking securely to C?
>>
>> Currently it would use https with CAs (and later DANE currently being
>> developed at the IETF in DNSsec). That work very widely, and are already
>> a lot better than what most web sites use.
>
> Are you saying that DANE works very widely? Can you point me to some
> evidence of that?
No, obviously not that is why I wrote "and later DANE" and even put it between parenthesis.
>
>> Now if you can develop other methods to verify a machine, then those could be used additionally too.
>>
>> Self signed server certs could be validated by a bunch of your friends, which could set up friend DNSsecs presumably.
>
> OK, but if we're setting up new ways to verify machines then we might as
> well make sure those ways can verify end-user certificates directly,
> right? Otherwise, all WebID does is add an additional potential point
> of failure for our validation scheme.
Not sure. DNS is not a good protocol to put end user data in; the web is much better
for that.
>
>>> If the backhaul link is unvalidated (therefore spoofable) then an
>>> imposter capable of such spoofing can successfully masquerade as A by
>>> generating and deploying a FOAF file that asserts the information the
>>> attacker needs for their "false A" cert to be accepted. So i don't
>>> think that counts as "secure authentication".
>>
>> No that would be a very weak deployment of WebID.
>
> glad we agree on that :)
>
>> Not quite. The server certificate is identifying a service joe.name:443 .
>> You could put that name in the server certificate subject alternative name.
>> Then you could apply the same principle by looking up the service in the place
>> one does those lookups in: DNS. Of course DNS is itself insecure, so this
>> only works with DNSsec, and that is what this group is working on:
>>
>> http://tools.ietf.org/wg/dane/draft-ietf-dane-protocol/
>>
>> Then the pieces are tied together. Now they are you might say centralised.
>> Though DNS is not that centralised either.
>
> Yes, this is an approach that cuts out the CA cartel. I like that,
> because i think the CA cartel as currently implemented is quite problematic.
>
> But it makes DNS an even-more-valuable target for centralized control.
>
> Unfortunately, DNS *is* currently centralized, and DNSSEC does nothing
> to address that centralization. In DNSSEC, the entities who control the
> signing keys for each zone "above" your delegated zone have the ability
> to spoof your credentials or to cause a denial of service.
yes, I don't think there is a miracle solution. This one could be better than
what we have now, which is the same, except that DNS can be broken any moment and we rely on a distributed cartel.
>
>> So we are currently resting on some existing and widely deployed infrastructure.
>> But we do not require them. Perhaps you can find some interesting
> things to
>> explore in the direction of RFC 5081 "Using OpenPGP Keys for Transport Layer Security"
>
> RFC 5081 has been superseded by RFC 6091 (i'm one of the authors of the
> newer version). And yes, i do think something along these lines is a
> good way to address server authentication. We could also use it to
> address client authentication directly.
A cool. I don't really know those well. But at least now I know someone who does :-)
I'd be interested in seeing how WebID can be tied into PGP. There is no reason it could not... I know one can put an e-mail into a PGP certificate. Can one put a URL there too? Like a Subject Alternative Name?
What is useful if you look at the FAQ is that WebID also allows you through the reference to build a much richer and changeable profile that you would ever want to put into a certificate.
http://www.w3.org/wiki/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F
(I am not being fair to PGP there perhaps, but then I am waiting for feedback)
This allows others to link to you, and so create a web of trust - using the word 'web' here in the same way as it is used in World Wide Web.
Or are you just totally against URLs?
>
>> WebID currently is about client authentication. Not really about server
>> authentication. Though because they are symmetric, the intuitions
>> developed in one place can be applied at the other.
>
> I think i'd say it a bit differently: WebID is about taking advantage
> of existing server authentication mechanisms to get client
> authentication mechanisms "for free". (actually, at the cost of
> introducing another point of failure, which is the FOAF web server C
> itself, which must be 'net-connected and operable for WebID to work)
You get other very valuable pieces: linked data being the most important. The success of the web tells you haw important hyper text was. Hyper data won't be different.
>
> Unfortunately, i don't actually think our existing server authentication
> mechanisms are healthy ones; they need to be fixed if we want the
> network to be resistant to attack by powerful adversaries.
>
> But if we're doing the work to fix server authentication, there's no
> reason it shouldn't apply to client authentication at the same time,
> without introducing the additional point of failure. No?
Well if you have server authentication that makes you happy, then is there really a problem left with client auth being webid like? It's very powerful, and much more flexible.
>
> --dkg
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
Social Web Architect
http://bblfish.net/
More information about the Freedombox-discuss
mailing list