[foaf-protocols] Webid Spec: Security Considerations Section?
henry.story at gmail.com
Sun Aug 15 12:33:01 CEST 2010
(Some of these points are just rewordings of what Akbar wrote)
- There are issues around WebIds with insecure protocols such as http:// or ftp:// .
- Sections on cryptosticks and other hardware devices
[ question for us: should we add something about this to the ontology? So that when a public key's private key is hardware only the user can specify this in his foaf? ]
- One should explain what is known by the server from the process: the WebId and nothing more. All the rest of the information in the foaf is asserted by the wid.
- How the fact that information in the foaf profile even though being asserted can be trusted more than just an assertion, say if other poeple one knows point to it. It should be pointed out that there are many ways other information can be used to increase the trust of some information.
- It may be worth having a section about how if the foaf:PersonalProfileDocument points to another document, which points back to the foaf, one can consider this as a form of validation.
Perhaps there should be a section on reasoning with the information that covers the last three points.
By the way one could have a philosophical introduction to knowledge, such that all knowledge is defeasible. Robert Nozick's definition of knowledge in Philosophical Explanations is very interesting and worth considering.
S knows that P if and only iff
- P is True
- S believes that P
- if P were not true S would not believe it
- if P were true S would believe it
The interesting thing about this definition of knowledge is that it shows how it is possible that I know I am writing this from Fontainebleau France, even though I don't and can't know I am not a brain in a vat on alpha centauri. ( Nice summary here:
Security is very much like knowledge: one can be more secure, but one can always find counterexamples that would leave one wondering if one can be secure at all.
On 15 Aug 2010, at 08:59, Akbar Hossain wrote:
> So I think on the dereferencing of webid stage
> you can try to
> 1. Mount a Denial of Service attack when a verifying agent tries to
> deference a WebID.
> 2. Try a Man in the Middle attack when dereferencing the WebID unless
> some counter measure is employed.
> 3. Eavesdropping again unless some counter measure is employed
> All covered in the paragraph already there I think.
> I think there are some considerations related to
> [http://getwebid.org/spec/#initiating-a-tls-connection] but they maybe
> temporal around the DNSSEC and Renegotiation stuff.
> 4. Denial of Service on the resource you are trying to access in the
> first place.
> Any others?
> [ Having said all that - I was just looking at
> "Security Considerations
> This entire document is about security." ]
> On Sat, Aug 14, 2010 at 11:46 PM, Dan Brickley <danbri at danbri.org> wrote:
>> On Sat, Aug 14, 2010 at 9:46 AM, Akbar Hossain <akkiehossain at gmail.com> wrote:
>>> I was looking thru the the RFC for HTTP Authentication: Basic and
>>> Digest Access Authentication recently.
>>> I quite like the way there is a section on security considerations broken out.
>>> Might want to consider that for the WebID spec?
>>> I see there is one consideration in section 3.
>>> Breaking out into its own section might encourage a fuller list of
>>> security consideration and elevate it.
>> I'd welcome this...
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
More information about the foaf-protocols