[foaf-protocols] Why SAN?

Akbar Hossain akkiehossain at gmail.com
Fri Sep 17 22:45:26 CEST 2010


Hi Nathan,

I believe the closest example (priori) to what you are asking is the
delegated FOAF+SSL protocol.

Namely foafssl.org does the SSL hand shake with the client (Identifying Agent).
foafssl.org then communicates the webid via http to the Verifying
Agent using a signature. (foafssl.org doesnt need a SAN entry)

There are a few things with the current delegated protocol which might
need to be thought about further which may help your thought process.

The key exchange of foafssl.org and verifying agent is out of band.
(its pre-swapped). We could add a referer to the signed call.
Which the Verfiying Agent could use to fetch the public key used to
sign the message sent across.

(The signing is as per Henry comment of ensuring the message is not
tampered with)

The other thing is replay attacks. With the delegated protocol there
is a window during which replays can be performed.
(the timestamp field). There are a few threads on the group related to
http auth digest which might help with that regard.

Thanks

(Obviously the native SSL is easier than all this)


More information about the foaf-protocols mailing list