validating SAN URIs in gntls (FW: [foaf-protocols] Fwd: [Freedombox-discuss] WebID)

peter williams home_pw at msn.com
Mon Mar 7 19:30:43 CET 2011


The following may be a little hard to follow, lacking much context here.
But, its essentially saying that a TLS server might validate a client cert
using document retrieved from its SAN URI field (much as the GNUTLS
implementation already validates the DNS SAN URI field by talking to
DNS...).

One might want to think about enabling GNUTLS server's to easily add a
validation callback *mechanism* for the case that SAN URI(s) (possibly
plural) are received in client certs.

I did change certtool(1) src to generate SAN URIs as discussed here once
before, but did it in a way that was reprehensible (and quick). It's not
code I could release... since I just modified the existing code for
populating SAN RFC822 names to make them generate SAN URIs names instead,
destroying the support for RFC822 names. Whoever programmed certtool(1)
initially could probably add SAN URI support properly, in 15-30 minutes.



-----Original Message-----
From: foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Melvin
Carvalho
Sent: Sunday, March 06, 2011 10:56 AM
To: foaf-protocols at lists.foaf-project.org; WebID XG; Inkster Toby
Subject: [foaf-protocols] Fwd: [Freedombox-discuss] WebID

FYI

WebID + perl implementation in debian

---------- Forwarded message ----------
From: Jonas Smedegaard <dr at jones.dk>
Date: 6 March 2011 19:27
Subject: [Freedombox-discuss] WebID
To: freedombox-discuss at lists.alioth.debian.org


On Tue, Mar 01, 2011 at 07:51:07PM +0100, Melvin Carvalho wrote:
>
> On 1 March 2011 19:34, Jonas Smedegaard <dr at jones.dk> wrote:
>>
>> On Tue, Mar 01, 2011 at 07:04:53PM +0100, Melvin Carvalho wrote:
>>>
>>> On 1 March 2011 18:44, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:
>>>>
>>>> On 03/01/2011 12:33 PM, Melvin Carvalho wrote:
>>>>>
>>>>> But actually there is a way in the case of the Freedom Box, because
you have the advantage of controlling your own server.
>>>>>
>>>>> Since you are already running a webserver and (hopefully) have control
of your DNS.
>>>>>
>>>>> You can provide a two-way verification chain.
>>>>>
>>>>> 1. Your Person Profile publishes your public key.  (this is a few 
>>>>> lines of html5, should be easy) 2. Point your self-signed X.509 to
your Freedom Box profile.  This can be done by putting an entry in the
SubjectAltName field of the cert, a common technique.
>>>>>
>>>>> This provides strong verification for all the X.509 tool chain and
means you can talk security to any server using SSL/TLS which is most of
them, providing strong authentication as a side product.
>>>>
>>>> This doesn't provide an adequate means of revocation, though.  If an
attacker gets control over your key, and is able to repoint DNS, then you
cannot publish any revocation statement about this key through this channel.
>>>
>>> If an attacker does gain these two points of control, and they knew what
they were doing, you could have an issue yes.
>>>
>>> We need to scope out a revocation model, but I dont think it's that
hard.  May already be something existing, I'll have a check.
>>
>> Without plauing with it yet myself, I blindly assumed Monkeysphere was
usable for exactly this: use GPG web of trust to assure certificates.
>>
>>
>>>> These two points are what i meant when i said that this model has "no
way of verifying/revoking these keys".
>>>>
>>>> I'm sure you could graft something like this onto <X.509+your scheme
above>; but OpenPGP already exists and handles these cases pretty well.  Why
reinvent the wheel?
>>>
>>> Because X.509 is quite webby, and the web is the dominant ecosystem on
the internet.
>>
>> more specifically: TLS allows for RESTful secure identity handling -
which helps save bandwidth as is is friendly to proxies and other caching.
>>
>> http://www.w3.org/wiki/WebID
>
> Yes, exactly.
>
> There's a group that has now moved this a step closer to standardization
with the a W3C Web Consortium Incubator Group.
>
> http://www.w3.org/2005/Incubator/webid/charter
>
> I know revocation has been raised as a topic.  I normally listen in on the
telecons, so I can report back on this topic, and any others people with to
raise.

Awesome!


On a related note, I now (after fighting intensely with it for 3 days,
producing the needed 27 Debian packages) I have now packaged
libcgi-auth-foaf-ssl-perl which is a Perl implementation of WebID.

The work is now pending approval into Debian, and is also available using
the following APT line:

 deb http://debian.jones.dk/ sid freedombox

I would appreciate any and all comments on these packages (and also do tell
me if you are interested in the field of RDF using Perl and need other
libraries packaged!).


- Jonas

--
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJNc9H+AAoJECx8MUbBoAEhcNcP/3ywfLzHBUxbMM2B5gJCKl84
4iXuO1CmunC/cJzFUiF8B7uB1ZL0xQjTjYX1V78QF0ae+hpLKKnFCaF/mXypmXey
IUtYTawQ84xAl7aH1V//z7fNJ7810lcj5JTvcyoNlB6lEnydmZpZ1Yhe+D2SM03J
46i8Xux3DS6XaIq7KBCUgmGXkhqAG1ArT4DrflEbkILY757cGn753U0O0puoqRkE
2YG8FKeYV149meKWlRcaJ9RcPaAWLXlr1YlKqkyM/J3OV2IBFBAW4zNl2Z766uZa
1Qmnc7wVRccdqYQEUMs8XUWYQh6sEjU4LjWDXHiTx0bgl33ikXGCttiWntx6gNBa
au2pfgNGeXzIh6vRbxMLOUYJ76xM4UZ9moKV/dah1PIBkuaP82nruV9ChSaiXrJL
pgzDVZ1WvrwPcOlekLyVWZjfKJY47aRpmSl7/lRBgCWc7/jcjOz9IuLCxs7Gzq5j
nPhLC03nGdbZJzyJneVkyJHbIEzgRiatgCBVXAQJKBybKfO9Mm0uqkes2w3MyBd9
p0F7Kuc0zEoUn520hExscuMxoFAadGYiZt6oAdETCeMiZuIAxuUSHz5GedRWAWRf
0juQYBdAzxim0DpLCZikijbD+5N6W7V4bRoaTWd7FKUrgmxyIhuE3ooYlBV1FNXw
ArPmQbjaPRkgLA/C8Tkf
=SDSs
-----END PGP SIGNATURE-----

_______________________________________________
Freedombox-discuss mailing list
Freedombox-discuss at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: </pipermail/attachments/20110307/22ae7165/attachment.pgp>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Untitled attachment 00340.txt
URL: </pipermail/attachments/20110307/22ae7165/attachment.txt>


More information about the Gnutls-devel mailing list