FOAF+SSL: RESTful Authentication for the Social Web

The European Semantic Web Conference (ESWC) will be held in Heraklion on the Island of Crete in Greece from 31 May to 4 June. I will be presenting the paper "FOAF+SSL: RESTful Authentication for the Social Web" which I co-authored with Bruno Harbulot, Ian Jacobi and Mike Jones. Here is the abstract:

We describe a simple protocol for RESTful authentication, using widely deployed technologies such as HTTP, SSL/TLS and Semantic Web vocabularies. This protocol can be used for one-click sign-on to web sites using existing browsers — requiring the user to enter neither an identifier nor a password. Upon this, distributed, open yet secure social networks and applications can be built. After summarizing each of these technologies and how they come together in FOAF+SSL, we describe declaratively the reasoning of a server in its authentication decision. Finally, we compare this protocol to others in the same space.

The paper was accepted by the Trust and Privacy on the Social and Semantic Web track of the ESWC. There are quite a number of interesting papers there.

I have never been to Greece, so I have a feeling I will really enjoy this trip. Hope to see many of you there.

Comments:

Hi Henry!

This is really cool stuff! Congrats!

I read it very carefully and have one question. Would the step 4 - fetching of the foaf file need to be done in a secure manner, such that a potential man-in-the-middle attacker cannot repudiate a false foaf file with spoofed public key? Would such step need to rely on CA signed certificate (PKI)?

Thanks!

Posted by Jirka on May 14, 2009 at 08:46 PM CEST #

In the paper the Subject Alternative name of Romeo is an https URL. This is important on an open internet as it makes it very very difficult to have a man in the middle attack (on a closed network this would not be a problem).

I think http urls could be ok too. It would just mean that the Service Provider (Juliet's server in this case) would have to judge the risk of a man in the middle attack and the value of the information she is revealing.

Of course if Romeo puts his file behind and https server, then this can increate the trust Juliet's server has in whome she is speaking to.

Romeo only needs one certificate for all his files, which could number in the billions. With laws such as the French hadopi law requiring people to secure their servers, we may find a very strong need for security developing.

Posted by Henry Story on May 15, 2009 at 08:29 AM CEST #

Jirka,

A minor point but "repudiate" doesn't mean what I think you think it means. It means to deny the authority of something, for example, to say that a letter which appears to have been written by you was not actually written by you or to say that the actions of an employee or agent weren't authorized.

I think you think it means something like "replace".

"Repudiate" is used often enough in this area that I hope you'll find this comment more useful than irritating.

Posted by Ed Davies on May 15, 2009 at 05:11 PM CEST #

Thanks Henry and Ed for your comments.

Ed, I meant "repudiate" as in "non-repudiation", i.e. "in-ability to proof origin and integrity" of a message and as it relates in man-in-the-middle attack.

http://en.wikipedia.org/wiki/Non-repudiation

I'm a security junkie, so may not be getting this right. Are you saying that that word cannot be used in this context?

Henry, thanks for clarification, I missed the https in the scenario. I was wondering how the requirement for a CA-issued certificate in Romeo's server impacts the balance of the ecosystem. Specifically, since the paper suggested that a great advantage here is that the agent can use just any certificate in step 3.

Your comment made it more clear to me that the advantage is still significant as the trusted server may be used to serve many more identities and thus the (expensive) CA-issued certificate is shared, while the individual identities still may keep using self-signed certificates.

Good job!

Posted by Jiri on May 18, 2009 at 01:35 PM CEST #

Post a Comment:
Comments are closed for this entry.
About

bblfish

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today