Re: [TLS] foaf+tls for distributed social networks - 2 questions

To: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Subject: Re: [TLS] foaf+tls for distributed social networks - 2 questions
From: Bruno Harbulot <Bruno.Harbulot at manchester.ac.uk>
Date: Fri, 24 Apr 2009 15:16:23 +0100
Cc: Henry Story <Henry.Story at Sun.COM>, tls at ietf.org, foaf-protocols at lists.foaf-project.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <49A7C991.5050309 at gnutls.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <6CF4BBB1-9004-44B7-A08E-62BA8D1F9F86 at Sun.COM> <49A7C991.5050309 at gnutls.org>
User-agent: Thunderbird 2.0.0.21 (Macintosh/20090302)

Hello,

Nikos Mavrogiannopoulos wrote:

Henry Story wrote:

Dear TLS experts,

We are working on a very simple protocol for distributed identity in a
web of trust that uses TLS in a novel way. The details of this are short
and can be found online [1]. Here I'd first just like to ask two
questions, to get into the heart of the problem, then I'll explain why
these came up.


After the explanation and seeing the protocol description I still do not
understand why you need the client certificate for what you want to
achieve.  Why you don't send the information you need for foaf on the
application layer (if it is http via a cookie etc)? Why send a dummy
certificate and add some extensions on it? Also the security offerings
are not clear to me. What will that protocol offer, security-wise?

As an authentication mechanism, the main goal of FOAF+SSL is to bind theclient to the URI (of a foaf:Agent), in the same way as the client wouldbe bound to a Subject DN in a PKI.

In short, FOAF+SSL certificates are X.509 certificates that contain apublic key and foaf:Agent URI in its subject alternative name extension;more or less all the rest is ignored. (For people not familiar withFOAF, foaf:Person is a subclass of foaf:Agent that models a person, forexample.)

To compare FOAF+SSL and PKI: what binds the client to a Subject DN isboth (a) the TLS handshake (which links the client the holder of theprivate key matching the public key in the client cert) and (b) theverification of the actual certificate (certification path to trustanchor, etc.)FOAF+SSL also uses the fact that the client presents both an identityclaim (its foaf:Agent URI in the client certificate instead of an X.500Subject DN) and the public key (which matches the private key the clientactually has). Only the evaluation of trust in the client-certificatechanges. At this stage, whether the client certificate is self-signed orsigned by another party isn't particularly important, since it's notwhat's used to verify its content.

There are two ways of verifying the certificate in FOAF+SSL, and thesecurity offerings are significantly different: dereferencing andcryptographic web-of-trust.



A. Dereferencing

Dereferencing is the main method explained on Henry's blog [1][2]. (Ishould point out that Henry's use of "web of trust" is more about howindividuals link to each other in a social network and doesn'tnecessarily involve signing those assertions, as in OpenPGP, which makesit somewhat different from a "cryptographic" web of trust).


It works as follows:

1. The client presents a certificate (self-signed or not) thatcontains a URI (such as <https://romeo.example/#me>, a foaf:Agent), anda public key.2. The server dereferences this URI (i.e. does an HTTP GET) andprocesses the content of the document, which will contain a public keyassociated to this URI.3. If the public key in the dereferenced document for this URI andthe public key in the client certificate match, then the verification issuccessful.

The security of this verification model depends on how much theauthenticating server can trust the authenticity of document that wasobtained by dereferencing the URI. In particular, it must trust theserver certificate of 'romeo.example' and the fact that no one tamperedwith the file on that server.

This level of security is suitable for some applications, but probablynot all.



B. Cryptographic web of trust

I've talked a bit more about this on my own blog [3]. It's possible tosign sub-graphs asserting the links between an ID (the URI) and a publickey.This way, one could have a set of trust anchors under the form of alocal/trusted FOAF file (or something else) against which to evaluate acertificate (à la OpenPGP). Similarly, a hierarchical model could bebuilt. The level of assurance here depends on how much you trust thetrust anchors and potential introducers; it's likely to be greater thanwith the dereferencing method.

The security levels are quite flexible, and systems using FOAF+SSL forauthentication and authorisation ought to be configured according to therequirements of the application (like any system, I suppose). When wesay that FOAF+SSL is a secure protocol, we really ought to qualify thatassertion.

The advantage of the FOAF+SSL approach (putting the information in anX.509 certificate as opposed to creating another type of certificate) isthat this works without modifying the implementation of SSL/TLS stacks.The only changes required are in the customisation of the evaluation oftrust in a client certificate.This requires some specific configuration in the application, but nochanges of the SSL-related libraries themselves if they have such hooks(JSSE and OpenSSL work, at least). In fact, for development purposes,we've accept any certificate during the handshake and do theverification at the application level.

The original questions that Henry sent were related to the way thebrowser chooses a certificate (or asks the user to choose). Because theFOAF+SSL certificate is self-signed, the server has to be configuredwith an empty list of CAs in the CertificateRequest. This is the sameproblem as the one addressed in Section 3.4 of RFC 5081 [4].To make the choice of certificate easier in the browser, we had thoughtof having an "open CA", for which we would distribute the private keyopenly, just for the sake of making the servers add that CA in theCertificateRequest list. I've since realised that we don't really needthat, since only the name matters: we could just make the server ask fora conventional name and the self-signed client certificate would havethat issuer name [5]. Of course, this wouldn't be compliant with RFC5280 [6].

We would be interested in feedback regarding this approach, inparticular whether this would break with further versions of TLS.



Best wishes,

Bruno.



[1] http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to
[2] http://blogs.sun.com/bblfish/entry/more_on_authorization_in_foaf

[3]http://blog.distributedmatter.net/post/2009/03/07/Signing-FOAF-files%3A-FOAF-files-as-certificates

[4] http://tools.ietf.org/html/rfc5081#section-3.4

[5]http://lists.foaf-project.org/pipermail/foaf-protocols/2009-April/000450.html

[6] http://tools.ietf.org/html/rfc5280

Follow-Ups:
- Re: [TLS] foaf+tls for distributed social networks - 2 questions
  - From: Nikos Mavrogiannopoulos

References:
- [TLS] foaf+tls for distributed social networks - 2 questions
  - From: Henry Story
- Re: [TLS] foaf+tls for distributed social networks - 2 questions
  - From: Nikos Mavrogiannopoulos

Prev by Date: Re: [TLS] Comparative cipher suite strengths
Next by Date: [TLS] Working Group Last Call for draft-ietf-tls-rfc4366-bis-04
Previous by thread: Re: [TLS] [foaf-protocols] foaf+tls for distributed social networks - 2 questions
Next by thread: Re: [TLS] foaf+tls for distributed social networks - 2 questions
Index(es):
- Date
- Thread

Re: [TLS] foaf+tls for distributed social networks - 2 questions

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.