security consideration: certificate creation over TLS from Henry Story on 2012-10-19 (public-webid@w3.org from October 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 19 Oct 2012 11:22:09 +0200
To: "public-webid@w3.org" <public-webid@w3.org>
Message-Id: <8D85BE25-2B6B-4DF3-B24A-EE135153C9DB@bblfish.net>

to add to ISSUE-34:

  the security considerations section should suggest that certificates using keygen be created over a TLS connection. The danger otherwise is that a man in the middle could intercept the public key data, send that on to the server, which would add the public key to the profile, create a certificate and return it in the usual manner. But here the man in the middle would then capture the returned certificate, create a new certificate but add a new webid to the san, sign it, and send it on to the client. This would allow the man in the middle then to later confuse servers that could decude from the existence of the two WebIDs in the certificate that both were owl:sameAs each other. 

  Henry

Social Web Architect
http://bblfish.net/

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Friday, 19 October 2012 09:22:45 UTC