ISSUE-21: Temporally Weak URI Ownership

Temporally Weak URI Ownership

State:
RAISED
Product:
WebID-authn-TLS-spec
Raised by:
Nathan Rixham
Opened on:
2011-02-01
Description:
A fundamental element of the WebID protocol, if not the purpose of the protocol, is to establish a URI which can be used as a name (identifier) for the Identifying Agent.

The authorized use of a WebID URI by an Identifying Agent is deemed (by the conceptual protocol) to be established by proving ownership of a token, and then verifying the presence of that token in a representation received by dereferencing the WebID URI.

The realization of this element is currently defined by the use of Public/Private Key pairs, the public key is used as a token, ownership of that token is confirmed by passing the public key in a certificate as part of the TLS authentication flow (where ownership of the corresponding private key is proven), when the WebID is dereferenced the presence of the public key in the representation is verified, and the authorized use of that WebID URI is established.

The use of Public Keys in this manner proves to be temporally weak, in that it only establishes that the key pair holder /had/ write access to the WebID resource at some point in the past, the key pair may since have been stolen, or the machine running the identifying agent may have been compromised.

WebID protocol as it stands, does not make any provision for establishing that an identifying agent still has write access to the WebID resource.

Such provision could be made by swapping, or augmenting, the use of key pairs, with one time tokens - or by some other method.

"WebID resource" is used in this case to refer to the agent which responds to dereferencing requests on the "WebID URI".
Related Actions Items:
No related actions
Related emails:
  1. RE: WebID-ISSUE-22: Key Pair Revocation / WebID reset [WebID Spec] (from home_pw@msn.com on 2011-02-01)
  2. Re: WebID-ISSUE-21: Temporally Weak URI Ownership [WebID Spec] (from henry.story@bblfish.net on 2011-02-01)
  3. Re: WebID-ISSUE-22: Key Pair Revocation / WebID reset [WebID Spec] (from nathan@webr3.org on 2011-02-01)
  4. Re: Documenting implicit assumptions? (from nathan@webr3.org on 2011-02-01)
  5. WebID-ISSUE-21: Temporally Weak URI Ownership [WebID Spec] (from sysbot+tracker@w3.org on 2011-02-01)

Related notes:

No additional notes.

Display change log ATOM feed


Henry Story <Henry.Story@bblfish.net>, Chair, Dominique Hazaƫl-Massieux <dom@w3.org>, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.326 2018/10/13 17:29:51 vivien Exp $