Another use case for DANE

Hi,

  Inspired by the innovative thinking animating the BrowserId authentication protocol [1], and seeing the logic developed there could also be also applied to WebID over TLS [2], it occurred to me that one could use keys published in DANE to prove that a client certificate had been signed by a specific service - e.g., an https or an e-mail service.

   The BrowserId folk have not specified exactly how they wish to show that their JSON certificates were signed by a specific e-mail provider, and it seems this role could very reasonably fall to DNSsec. If it can be done for BrowserId, then of course there is no reason why X509 client certificates could not also be signed with such keys, where the Issuer Alternative Name in the X509 certificate would be either an e-mail or an https service. This would then allow Relying Parties to authenticate a WebID in an X509 Certificate immediately without needing to dereference the WebID itself - an issue that could speed up initial authentication of X509 certificates coming from very large service providers - or even allow certificates to be verified without them containing a WebID, as the BrowserID folks seem to prefer. 
  There is also the advantage that if the signature is from the e-mail providing service, then this could be used immediately to verify an e-mail address in the Subject Alternative Name, just as it would help prove an https WebID if the key were shown by DNSSEC to be the one used to sign https services.
  This can clearly complement simple WebID authentication as we know it now from http://webid.info/spec/ . WebID does have the advantage of being able to return very rich and up to date graphs of information about the user.

Henry Story

PS this is part of the WebID ISSUE-5: "Follow Work in publishing keys in DNSSEC - DANE"


[1] https://browserid.org/ 
    though it still requires the work of the future Browser Cryptography group to come to fruition
    http://www.w3.org/wiki/IdentityCharter#Web_Cryptography_Working_Group_Charter
    if it is going to be truly decentralised
[2] I wrote up a detailed comparison of WebID and BrowserID
    http://security.stackexchange.com/questions/5406/what-are-the-main-advantages-and-disadvantages-of-webid-compared-to-browserid

Social Web Architect
http://bblfish.net/

Received on Saturday, 5 November 2011 23:57:05 UTC