WebID

Last updated

WebID is a method for internet services and members to know who they are communicating with. The WebID specifications define a set of editor's drafts to prepare the process of standardization for identity, identification and authentication on HTTP-based networks. WebID-based protocols (Solid OIDC, WebID-TLS, WebID-TLS+Delegation) offer a new way to log into internet services. Instead of using a password, for example, the member refers to another web address which can vouch for it. WebID is not a specific service or product.

Contents

Technically speaking, a WebID is an HTTP URI that denotes ("refers to" or "names") an agent on an HTTP based network such as the Web or an enterprise intranet. In line with linked data principles, when a WebID is de-referenced ("looked up"), it resolves to a profile document (a WebID-Profile) that describes its referent (what it denotes). This profile document consists of RDF model based structured data, originally constructed primarily using terms from the FOAF vocabulary, but now often including terms from other vocabularies.

Profile documents can be stored on the agent's own Web server, and access thereto may be partially or wholly constrained to specific agent identities via the use of access controls, to preserve the privacy of the profile document's subject.

Protocols

WebID-TLS

The WebID-TLS protocol (formerly known as FOAF+SSL [1] ) is a decentralized and secure authentication protocol built upon the profile information as well as the Transport Layer Security (TLS) client certificates available in virtually all modern web browsers. It was first presented [2] [3] for the W3C Workshop on the Future of Social Networking in 2009.

Unlike the usual SSL usage patterns, WebID-TLS does not require [4] a dedicated Certificate Authority to perform the user authorization. Users can easily mint useful identities for themselves using any TLS certificate (even self-signed ones). Using TLS client certificates for Web site user authentication doesn't usually require that the user input a password, unlike many other single sign-on mechanisms, which can make WebID-TLS quite convenient. However, the client certificate selection dialogues in popular Web browsers are not yet as user-friendly as they might be, negating some of this convenience.

A web of trust based on WebID-TLS could be gradually constructed, connecting users and their activities on the World Wide Web, without formal key signing parties, making the identification harder for anyone (even the original issuing authority) to falsify. [5]

WebID-OIDC

WebID-OIDC was an authentication delegation protocol used by Solid. It is based on decentralized OAuth2/OpenID Connect. [6] It has been superseded by Solid OIDC [7]

Solid OIDC

Solid OIDC is an authentication delegation protocol used by Solid. It is based on OAuth2/OpenID Connect. [8]

WebID-TLS+Delegation

WebID-TLS+Delegation extends WebID-TLS through "On Behalf Of" headers and relationships, enabling one Agent to act with all permissions/privileges of another Agent. [9]

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

<span class="mw-page-title-main">FOAF</span> Semantic Web ontology to describe relations between people

FOAF is a machine-readable ontology describing persons, their activities and their relations to other people and objects. Anyone can use FOAF to describe themselves. FOAF allows groups of people to describe social networks without the need for a centralised database.

Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication. Several protocols use a command named "STARTTLS" for this purpose. It is a form of opportunistic encryption and is primarily intended as a countermeasure to passive monitoring.


This is a comparison of notable free and open-source configuration management software, suitable for tasks like server configuration, orchestration and infrastructure as code typically performed by a system administrator.

A distributed social network or federated social network is an Internet social networking service that is decentralized and distributed across distinct service providers, such as the Fediverse or the IndieWeb. It consists of multiple social websites, where users of each site communicate with users of any of the involved sites. From a societal perspective, one may compare this concept to that of social media being a public utility.

SPKAC is a format for sending a certificate signing request (CSR): it encodes a public key, that can be manipulated using OpenSSL. It is created using the little documented HTML keygen element inside a number of Netscape compatible browsers.

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

Trust on first use (TOFU), or trust upon first use (TUFU), is an authentication scheme used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look up the endpoint's identifier, usually either the public identity key of the endpoint, or the fingerprint of said identity key, in its local trust database. If no identifier exists yet for the endpoint, the client software will either prompt the user to confirm they have verified the purported identifier is authentic, or if manual verification is not assumed to be possible in the protocol, the client will simply trust the identifier which was given and record the trust relationship into its trust database. If in a subsequent connection a different identifier is received from the opposing endpoint, the client software will consider it to be untrusted.

Transport Layer Security Secure Remote Password (TLS-SRP) ciphersuites are a set of cryptographic protocols that provide secure communication based on passwords, using an SRP password-authenticated key exchange.

A TLS termination proxy is a proxy server that acts as an intermediary point between client and server applications, and is used to terminate and/or establish TLS tunnels by decrypting and/or encrypting communications. This is different to TLS pass-through proxies that forward encrypted (D)TLS traffic between clients and servers without terminating the tunnel.

Token Binding is a proposed standard for a Transport Layer Security (TLS) extension that aims to increase TLS security by using cryptographic certificates on both ends of the TLS connection. Current practice often depends on bearer tokens, which may be lost or stolen. Bearer tokens are also vulnerable to man-in-the-middle attacks or replay attacks. In contrast, bound tokens are established by a user agent that generates a private-public key pair per target server, providing the public key to the server, and thereafter proving possession of the corresponding private key on every TLS connection to the server.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

References

  1. FOAF+SSL decentralized authentication protocol.
  2. "foaf+ssl: adding security to open distributed social networks". Sun Microsystems. Archived from the original on September 29, 2009.
  3. "Workshop on the Future of Social Networking". Barcelona, ES: W3C. January 2009.
  4. "foaf+ssl: creating a web of trust without key signing parties". Sun Microsystems. Archived from the original on January 22, 2009.
  5. Gamble, Matthew; Goble, Carole (April 2010), "Standing on the Shoulders of the Trusted Web: Trust, Scholarship and Linked Data", Proceedings of the WebSci10: Extending the Frontiers of Society On-Line
  6. WebID-OIDC Authentication Spec, September 2017
  7. . Has the WebID-OIDC spec been superseded by the Solid OIDC spec?, July 2021
  8. SOLID-OIDC, July 2021
  9. Sabol, Cory; Odd, Wesley; Esterline, Albert (March 2016). "Group Access Control using WebID". SoutheastCon 2016. IEEE. pp. 1–2. doi:10.1109/secon.2016.7506672. ISBN   978-1-5090-2246-5. S2CID   31073762.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.