Web Profile and security

Mark Taylor m.b.taylor at bristol.ac.uk
Wed Dec 15 09:03:46 PST 2010 

Hi all,

following my Web Profile presentation at the Interop, I chatted to 
Ray Plante a bit about security.  He thinks that it would be a good 
idea for the hub to pay attention to signed certificates.  
In this scenario, the hub has a certificate bundle 
and accepts HTTPS requests as well as HTTP ones
(on a separate well-known port?).  When a request to register 
is received and the hub asks the user for confirmation 
(via a popup or whatever), then the hub should make clear 
to the user whether the request was signed, and 
whether the CA is from its trusted certificate bundle or not.
It should perhaps issue to the user an extra-scary warning for 
clients which cannot be authenticated as from a trusted source.
This gives the user a better idea about whether to trust the 
registering tool/page with the user privileges entailed by SAMP
registration.

A given hub implementation would need to get its certificate bundle
from somewhere; putting an IVOA-approved bundle together sounds like
a job for GWS (maybe they already have one?)

This sounds reasonable to me in principle.  However, I'm very 
ill-informed about certificates and security in general, so my 
understanding of the issues is pretty sketchy - quite possibly there
are howlers in the above summary which show off my ignorance.

Questions which occur to me:

  - how much harder does this make hub implementation?

  - how hard is it for client authors to make HTTPS requests
       in the various target languages (JavaScript et al.)?

  - will there be performance issues?  cryptography can be slow,
       and often SAMP involves a lot of short messages

  - do the three sandbox-busting technologies currently proposed by
       the Web Profile work with HTTPS?  (I think the answer is yes,
       but I wouldn't bet on it).

there are probably other questions too.

Can anybody comment on whether they think this idea is sensible
and/or necessary and/or practicable, or add anything else they
think is relevant?  I believe that Luigi already uses https
connections with SAMPy, so his perspective will be particularly
valuable.

Mark

--
Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
m.b.taylor at bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/~mbt/

More information about the apps-samp mailing list