[foaf-protocols] Lack of browser support
henry.story at bblfish.net
Sun Feb 28 22:12:52 CET 2010
On 28 Feb 2010, at 21:53, Peter Williams wrote:
> Henry Story wrote:
>> That is my question here:
> If I were doing it, I (still) do exactly what I did 15 years ago when designing for the web/internet, when I stuffed a PKCS7-sealed secret in my directory entry for the asserting party to leverage. (Folks at GMD in Darmstadt did exactly the same thing, on what was a joint project also with INRIA). PKCS7 was not quite a well-established community standard at that point (unlike today, where it is commodity - in java and .net)
Ok, so we have the password and we sign it with the public key of the IDP.
That is what Akbar suggested earlier. And I agree this can be done.
> Now, once sealed for a particular IDP, the IDP essentially does PKCS7-unwrapping-procedures to learn (from the very act of being able to decrypt the stored digest-auth password) that it "is authorized" to validate the user (using digest auth). Incidentally, it also gets the necessary crypto material for digest-auth (that it can then admittedly abuse, to spoof the user). (1) policy-based control, then (2) material transfer, then (3) assurance/risk.
Only if the password is the same at some other site. Otherwise the spoofing won't work.
> If the user wants to authorize 9 IDPs to so act, there are 9 PKCS streams attached to the webid/foaf-card - each one targeting a given IDP by URI. More advanced use of PKCS7 sealing would allows one attached stream to target all 9 IDPs, encrypting for each under its public key the crypto material one wishes to transfer (the users digest-auth password, when all said and done). This is an simple example of group-keying (also used in S/MIME variant of PKCS7 for encrypted email), and cryptographers will argue all day about the merits and demerits of 100 such schemes. The way I state is typical military key management process (based on years of similar application to secure email). You get to 80%, for almost no effort.
But I completely agree. And I have never said this was not possible. This is possible to do, and relatively easy to imagine.
The problem I argue in the mail referenced above is not that it won't work, it's just that I don't see it catching on.
Why I don't see it catching on, is explained there, so I won't repeat myself.
But if people really think it can then by all means try it. You need to write an ontology with a few relations such as
 a Password;
pkcs7 "123124DFDDD..." .
The you need to get people to write that out in their foaf file, and make sure they do it correctly.
If it catches on, I'll be amazed.
More information about the foaf-protocols