[foaf-protocols] non issue comments on webid IX draft

Peter Williams home_pw at msn.com
Mon Feb 21 23:22:48 CET 2011



I may be 12 months too early in this topic (though it may influence how the webid spec's requirements are formulated). If you think so, Ill forward to the w3c list.
 
To drive the point home, comprehend all of section 3.1 (ignoring step #6) and answer the following questions, says the school exam:-
 
if the verifier receives a cert with 100 SAN URI entries, and the first entry tried has failed to obtain a document whose contents matches the cert, what should the verifier do?
 
a. exit and refuse access
b. try the next SAN URI, but no more than reasonable
c. having tried 49 URIs, exit at 50 if it fails since 50 is half of 100
d. iterate through all 100, till one works
e. none of the above.
 
Should the spec imply the answer to the above?
 
if the verifier scans an XHTML document with well formed RDFa that matches the client cert but notices that that document has javascript with malicious content, what would be best to do:
 
a. cache the document, and proceed to access control
b. proceed to access control, but refuse to cache the document
c. reject the document and try the next URI in sequence
d. abandon the protocol run
e. none of the above.
 
Should the spec imply the answer to the above?
 
 
if the verifier consults a URI reputation source before attempting to contact the resource and notes that the URI is in an IP  block known to affiliate with criminal syndicates, what should the verifier do?
 
a. reject the certificate and then ask for a new client certificate
b. reject the cert and the blacklist the IP address of the sender locally
c. ignore the URI, but try the next one in the list
d. try a different DNS server for the authority in the URI, to see if there is a better reputation opinion there
e. let google worry about it by only relying on Google websso (since Google processes the webid issues).
 
Should the spec imply the answer to the above?
 


From: henry.story at bblfish.net
Date: Mon, 21 Feb 2011 22:03:12 +0100
CC: foaf-protocols at lists.foaf-project.org
To: home_pw at msn.com; public-xg-webid at w3.org
Subject: Re: [foaf-protocols] non issue comments on webid IX draft


This really belongs to the WebID mailing list, as we are discussing the spec there.



On 21 Feb 2011, at 19:17, peter williams wrote:



http://www.w3.org/2005/Incubator/webid/spec/#processing-the-webid-profile
 
Let me criticize the spec, as will real security experts (not that I can claim to being one, being a mere “enthusiast”).
 
Sayeth the spec, the resource server MUST ping all servers which are listed in the SAN array of URIs. If I make a cert with 10,000 URIs and none of the foaf:agents’ RDF documents match the client authn client cert’s pubkey, the resource server MUST ping upto 10,000 other servers - chosen by the attacker.


I don't know where you find that.


In section 3.1 it says "with at least one" quite clearly


[[
The Verification Agent must attempt to verify the public key information associated with at least one of the claimed WebID URIs. The Verification Agent may attempt to verify more than one claimed WebID URI. This verification process should occur either by dereferencing the WebID URIand extracting RDF data from the resulting document, or by utilizing a cached version of the RDF data contained in the document or other data source that is up-to-date and trusted by the Verification Agent. 
]]

http://www.w3.org/2005/Incubator/webid/spec/#authentication-sequence






 Can a server impose a local limit – one process more than 5? Don’t process ANY, if more than 5 present, etc?





 
Implieth the spec,  the resource MUST trawl the web each time a client authn event is received (60 a second… on average?). This seems to imply that resource servers MUST be able to choose to (i) ignore events selectively (addressing DOS,DDOS using velocity counters) (ii) ignore based on local criteria.  Since one doesn’t want those 59 attacking events on the internal network, probably the firewall SSL interceptor needs to be doing the filtering and selecting (on behalf of the array of web servers)


Where do you find that said in the spec precisely? If it is saying that then it is wrong.





 
Assuming that the document is pulled, one has to allow resource server (or more likely the firewall) to scan the inbound content (for malicious javascript, say); since the URI is user-sponsored.


The Relying Party (to use http://identitycommons.org/ vocabulary ) does not need to exectute anything in the certificate. Clearly there is not reason to do so. And if there were, I don't think that that would be up to this spec to talk of, since we don't require javascript in the certificate.





 
It was unclear in the way the spec lays out the verification steps in sequence (i) having performed SSL mutual auth merely to learn the webid (from parsing a SAN field on the inbound cert) and (ii) having pulled the document referenced by the SAN URI, whether an ADDITIONAL handshake of SSL is required. (This is what I read the spec to say, note. Clear this up, if only 1 handshake is required).


yes, that's odd. I am not sure how that ended up in the spec






 
The spec is very unclear on what happens when an SSL resume handshake is used (and the server supplies the client cert to the servlet/CGI consumer based on its SSL session state, rather than from the wire).


Can you develop this a bit? (don't go into too much length, a few pointers to the right spec, or descriptions of the problem, and how it affects us will do)







 _______________________________________________
foaf-protocols mailing list
foaf-protocols at lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-protocols






Social Web Architect
http://bblfish.net/
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110221/793d58cc/attachment.htm 


More information about the foaf-protocols mailing list