[Freedombox-discuss] Friendika

Henry Story henry.story at bblfish.net
Wed Jul 13 18:58:49 UTC 2011 

Hi, 

  I am lurking here from time to time. As the chair of http://webid.info/ I welcome people to join
the W3C incubator group and help us tighten the spec by producing more implementations. We are currently working on developing a simple declarative test suite for webid implementations. 

On 13 July, Melvin wrote

>> WebID uses SSL, but as far as I understand it doesn't rely in any CA. The
>> certificates can be self-signed and they will work the same.

yes, the client side certificates don't rely on a CA. Neither does the WebID in the X509 Cert have to be an httpS URL: it could be an http webid, in which case you have the possibility of man in the middle attacks - which is a problem with username/passwords and e-mail authentication nowadays. Of course a Relying Party (to use OpenId lingo) that receives an http WebID should take that into account, and reduce trust levels. For some services this may be ok - well it seems to be ok for the 99.99% web at present!

The server certificates work much better when relying on a CA of course.  Without CA signed certificates the client or the server would not know if they  have really reached the server. So there is an attack that is possible there. If that is not an issue that could be bypassed, especially in server to server configuration. Of course in that case each side should understand that the level of security is lower. But not lower than when we connect to http://google.com/ . (On the client side connecting to a server that is not CA enabled leads to ugly UI issues though.)

Now I think it would be great if everything were behind https. Then when google gave us an answer we would not be in danger of receiving a man in the middle corrupted answer, sending us to some other fake page. Security itself is social. If Google is not secure than most things we do are not secure. If other web sites are not secure then google is not secure - cause Google's crawler's could be man-in-the-middled.

But we can't get everything behind https if we _need_ to rely on CAs, as they are a bottleneck. DNS is not perfect but already a lot better. So people who want to help increase security there, should look at the IETF DANE work.

     http://datatracker.ietf.org/wg/dane/charter/

Try to follow what is going on there and try to make sure that servers can put self signed certs into DNSsec. Then push browsers to implement this. Chrome has an implementation where you can put a certificate signed by your DNSSec on your https end point, which would also work.

If you don't want to rely on DNS then I wrote up how to do that on this list
  http://lists.w3.org/Archives/Public/public-xg-webid/2011Mar/0068.html
(if someone wants to play on developing httpk, let me know. I just need some help with distibuted hash tables)


>> It uses the
>> private key installed in your PC (which might not be very convenient) and
>> checks if it belongs to the public key (which you have copied sometime before)
>> returned by the FOAF file. If they match, your friends server can be sure that
>> you are who you claim to be
>> ( http://www.w3.org/wiki/Foaf%2Bssl ). In this scheme it doesn't matter which
>> the CA is.

On 13 Jul 2011, at 19:54, Boaz wrote:
> 
> Let's be clear: self-signed certificates provide no protection against
> MITM attack.

Your client certificate can be self signed without a problem of MITM. IT is the server lacking 
a certificate signed by a trusted authority - CA or DNS or some friend - that would enable MITM.

>  In other words, no assurance to your friends that you
> "are who you claim to be" (unless you gave them your key fingerprint
> on a slip of paper or something).  That assurance is the service that
> we supposedly get from certificate authorities.

CA will never be able to do end user certification. It's way beyond them. They are already 
struggling to certify paying businesses. Nobody would want CAs to start certifying individuals.
This is why nobody thought of using Client Certs for authentication. But with WebID you don't need the CA for the
client cert part! So a major problem of client certificates has vanished. 

Hope that helps. There is a short introduction video now on http://webid.info/

Henry

PS.

And for those who have time to spare, I put gave a presentation on "Philosophy and the Social Web" and the first
philosophy and web conference last year in Paris. Though this is in English:
http://bblfish.net/tmp/2010/10/26/


> 
> 
> Boaz
> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

Social Web Architect
http://bblfish.net/

More information about the Freedombox-discuss mailing list