WebID Access Delegation

COLD2012, Boston, 12.11.2012 Extending the WebID Protocol with Access Delegation
Sebastian Tramp, Henry Story, Andrei Sambra, Philipp Frischmuth, Michael Martin, and Sören Auer

Introduction DELETE GET POST PUT Identification + Auth entication orization

WebID „A WebID is a hash HTTP URI which denotes
an agent. You can GET an RDF model as TURTLE.“

WebID Protocol X . 5 0 9 C E R
T I F I C A T E https://my-proﬁle.eu/people/pfrischmuth/card#me SAN DATE SELF-SIGNED 12. November 2012

Photo Sharing Example (contd.) • Roster of all friends required
for authorization decision • Friends may restrict access to that information • Problem: Server may need to access WebID profiles in the name of the user

Terms • The secretary acts in the name of another
agent, the principal. • The principle is the agent who has a secretary that acts on its behalf.

General Principles • Distinguish secretary from principal • Easy to
use • Minimal protocol footprint • Efficiency

S1: Acting as the user • Agent A acts as
the user U • Certificate Cu with WebID of U as SAN • Add public key to profile Pu • No change to WebID protocol (+) • Full trust required

S1: Limitations • Agent A serves multiple users U1,...,Un •
Problems • data perspective • efficiency

S2: Origin Server acting on Behalf of a User •
Agent A uses same certificate for server and client roles • Origin server match = same trust in client role as in profile provider role (server) • X-On-Behalf-Of HTTP header • One TLS connection + multiple requests on behalf of different users

S2: Limitations • Wider usage of same key poses a
higher risk, when key is compromised • When client key is compromised, also the server key is affected • Origin server may be different from profile provider

S3: Secretary acting on Behalf of a User • Secretary
acts as agent with WebID • Principal adds :secretary relation to profile • Consumer checks both WebIDs + existence of above relation

Cache Alice's Server Client cert request TLS-Light Service Guard WebID
Verifier Protected Resource Bob's Secretary Secretary Server Secretary Profile Bob's Profile Bob's Server Secretary Verification Certificate & private key verification HTTPS GET HTTPS GET Authorization TLS setup 5a Bob Alice Alois Social Graph 5b 7 4 6 1 2 3 exponent modulus modulus exponent ? ? ? ? Basic WebID Check Secretary Check

Thank you for your attention!

WebID Access Delegation

WebID Access Delegation

Philipp Frischmuth

More Decks by Philipp Frischmuth

Other Decks in Technology

Featured

Transcript

COLD2012, Boston, 12.11.2012 Extending the WebID Protocol with Access Delegation

Introduction DELETE GET POST PUT Identification + Auth entication orization

WebID „A WebID is a hash HTTP URI which denotes

WebID Protocol X . 5 0 9 C E R

Photo Sharing Example (contd.) • Roster of all friends required

Terms • The secretary acts in the name of another

General Principles • Distinguish secretary from principal • Easy to

S1: Acting as the user • Agent A acts as

S1: Limitations • Agent A serves multiple users U1,...,Un •

S2: Origin Server acting on Behalf of a User •

S2: Limitations • Wider usage of same key poses a

S3: Secretary acting on Behalf of a User • Secretary

Cache Alice's Server Client cert request TLS-Light Service Guard WebID

Thank you for your attention!