[Debwebid-discuss] Web ID as passwordless authentication for debian web services

Olivier Berger olivier.berger at it-sudparis.eu
Wed Aug 28 09:08:58 UTC 2013 

Hi Daniel.

I've been slowly trying to play with OpenPGP and WebID, in the context
of its use in the Debian project, and wanted to investigate the possible
solutions to bind an OpenPGP key to a WebID.

Maybe your expertise on OpenPGP specs can help here.

Basically, in the same way as a X590 cert points with the subjectAltName
to a URI of a WebID document, I'd like my pubkey to point to such a URI.

I have checked in RFC 4880, and there seems to have been plans for
possible User attributes, but so far there's only such a use for photos
as JPEG.

I've then tried to embed a RDF triple pointing to the WebID URI inside a
QR code image, that I can then add as a (preferaby not primary) photo ID
in my pubkey (see a description of my experiment and some comments at [0]).

As a back link, my WebID then points back to the pubkey's
fingerprint. See an example at [1] for one of my own key.

I think this may be a way to allow some use of WebID, relying on the
Debian OpenPGP web of trust, and not necessarily on client certs. Of
course, a WebID could then be bound to both an OpenPGP key and a X509
cert.

The use of a QR code JPEG photo id is a bit of a hack, so do you have
any ide of whether it could be possible to support other types of user
attributes suck as a WebID URI, or some RDF fragment ?


Btw, I've just created a ML (in CC:) on alioth to serve for future
discussions about WebID in Debian, as a followup of the WebID BoF that
occurred at DebConf (gently moderated by Jonas, as I couldn't make it to
Le Camps). Feel free to join ;)


Best regards,

[0] http://lists.w3.org/Archives/Public/public-webid/2013Aug/0087.html
[1] http://www-public.telecom-sudparis.eu/~berger_o/info/pubkey/pubkey.txt

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> On 05/14/2013 10:03 AM, Jonas Smedegaard wrote:
>
>> I have also thought WebID would be a perfect match for things like this.
> [...]
>
> And as a project, we already have a community-reinforced authentication
> infrastructure (the OpenPGP certification network that all contributors
> have to be connected to, as guided by the excellent debian-keyring
> maintainers) that we could tie that key verification to without exposing
> ourselves to greater risk from the diginotars of the world.
>
> if i can help in implementing a debian-keyring-derived verification of
> Web-ID-discovered keys for client-side TLS authentication, i'd be happy
> to try to pitch in in my copious (why is there no sarcasm emoticon yet?)
> free time.
>

-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debwebid-discuss/attachments/20130828/1a57d101/attachment.sig>

More information about the Debwebid-discuss mailing list