[foaf-protocols] Webid Spec: Security Considerations Section?

Akbar Hossain akkiehossain at gmail.com
Sun Aug 15 08:59:30 CEST 2010


So I think on the dereferencing of webid stage
[http://getwebid.org/spec/#verifying-the-webid-is-identified-by-that-public-key]
you can try to

1. Mount a Denial of Service attack when a verifying agent tries to
deference a WebID.

2. Try a Man in the Middle attack when dereferencing the WebID unless
some counter  measure is employed.

3. Eavesdropping again unless some counter measure is employed

All covered in the paragraph already there I think.

I think there are some considerations related to
[http://getwebid.org/spec/#initiating-a-tls-connection] but they maybe
temporal around the DNSSEC and Renegotiation stuff.

4. Denial of Service on the resource you are trying to access in the
first place.

Any others?

[ Having said all that - I was just looking at
http://tools.ietf.org/html/rfc2818#page-6.

"Security Considerations

   This entire document is about security." ]



On Sat, Aug 14, 2010 at 11:46 PM, Dan Brickley <danbri at danbri.org> wrote:
> On Sat, Aug 14, 2010 at 9:46 AM, Akbar Hossain  <akkiehossain at gmail.com> wrote:
>> Hi,
>>
>> I was looking thru the the RFC for HTTP Authentication: Basic and
>> Digest Access Authentication recently.
>>
>> http://tools.ietf.org/html/rfc2617
>>
>> I quite like the way there is a section on security considerations broken out.
>>
>> http://tools.ietf.org/html/rfc2617#section-4
>>
>> Might want to consider that for the WebID spec?
>>
>> I see there is one consideration in section 3.
>>
>> http://getwebid.org/spec/#secure-communication
>>
>> Breaking out into its own section might encourage a fuller list of
>> security consideration and elevate it.
>>
>> Thoughts?
>
> I'd welcome this...
>
> Dan
>


More information about the foaf-protocols mailing list