[foaf-protocols] Webid Spec: Security Considerations Section?

Akbar Hossain akkiehossain at gmail.com
Sun Aug 15 10:23:02 CEST 2010


There was the concern of not losing control of your private key to
your certificate (webid)

Mentioned before on another chain.



On 8/15/10, Akbar Hossain <akkiehossain at gmail.com> wrote:
> So I think on the dereferencing of webid stage
> [http://getwebid.org/spec/#verifying-the-webid-is-identified-by-that-public-key]
> you can try to
>
> 1. Mount a Denial of Service attack when a verifying agent tries to
> deference a WebID.
>
> 2. Try a Man in the Middle attack when dereferencing the WebID unless
> some counter  measure is employed.
>
> 3. Eavesdropping again unless some counter measure is employed
>
> All covered in the paragraph already there I think.
>
> I think there are some considerations related to
> [http://getwebid.org/spec/#initiating-a-tls-connection] but they maybe
> temporal around the DNSSEC and Renegotiation stuff.
>
> 4. Denial of Service on the resource you are trying to access in the
> first place.
>
> Any others?
>
> [ Having said all that - I was just looking at
> http://tools.ietf.org/html/rfc2818#page-6.
>
> "Security Considerations
>
>    This entire document is about security." ]
>
>
>
> On Sat, Aug 14, 2010 at 11:46 PM, Dan Brickley <danbri at danbri.org> wrote:
>> On Sat, Aug 14, 2010 at 9:46 AM, Akbar Hossain  <akkiehossain at gmail.com>
>> wrote:
>>> Hi,
>>>
>>> I was looking thru the the RFC for HTTP Authentication: Basic and
>>> Digest Access Authentication recently.
>>>
>>> http://tools.ietf.org/html/rfc2617
>>>
>>> I quite like the way there is a section on security considerations broken
>>> out.
>>>
>>> http://tools.ietf.org/html/rfc2617#section-4
>>>
>>> Might want to consider that for the WebID spec?
>>>
>>> I see there is one consideration in section 3.
>>>
>>> http://getwebid.org/spec/#secure-communication
>>>
>>> Breaking out into its own section might encourage a fuller list of
>>> security consideration and elevate it.
>>>
>>> Thoughts?
>>
>> I'd welcome this...
>>
>> Dan
>>
>

-- 
Sent from my mobile device


More information about the foaf-protocols mailing list