W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

WebID and e-mail verification -- was: Getting Serious about WebID Bootstrap

From: Henry Story <henry.story@bblfish.net>
Date: Sun, 30 Sep 2012 20:07:31 +0200
Cc: Kingsley Idehen <kidehen@openlinksw.com>
Message-Id: <1EF53B78-DBF3-4A70-91D6-AFC8227312E0@bblfish.net>
To: Read-Write-Web <public-rww@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, WebID XG <public-xg-webid@w3.org>
I just realised something interesting.

   Initially I thought this is problematic. It won't prove anything. 
But I now think I was wrong. WebID verification  on this e-mail 
will tell you that I am http://bblfish.net/people/henry/card#me 
(I think it is still signing). Of course this would require adding a plugin 
to the e-mail client for this to work fluidly.

   But the neat thing is that if your prove that then you also prove than 

 <http://bblfish.net/people/henry/card#me> owl:sameAs <mailto:henry.story@bblfish.net> 

since the  e-mail was sent by someone who had access to the private key of 
     <http://bblfish.net/people/henry/card#me>

So there is no need to add the e-mail to the certificate!

Well not quite. Forging e-mail from fields is probably quite easy. So
you would know it was sent by someone with WebID
  <http://bblfish.net/people/henry/card#me>
But you'd still have the question if it was a forged from field.
And now it all depends on who you trust more: the http webid or the
e-mail address. If you have a serious graph of relationships based
on https WebIDs, the webid may give you enough trust of who i am. 
Also this at least reaches the level of security of current password 
verification schemes on the internet.

So webfinger could help a bit but 
http://tools.ietf.org/html/draft-hoffman-dane-smime-04
would help a lot more ( if I have understood it as placing in dns the 
signing certificate for certs containing e-mail sans )

What adding the e-mail to the certificate gives you for sure is if you want to 
send me an encrypted mail. Then if you have only my e-mail you'd need 
to do a lookup from my e-mail to find my webid. WebFinger would help there.
But it would be insecure - unless they have found a way to specify a
default over https.

Interestingly draft-hoffman won't help here either because you can't from
the signer of my certificate work out what my public key is. They'd have
to put the certificate for each user with an e-mail in DNSSEC, but then
DNSSEC would become an e-mail lookup system ready for spamming people.

So we have a situation where a WebID in an e-mail cert goes a lot further 
than I thought! But it is not quite optimal yet.

Henry


On 28 Sep 2012, at 15:07, Henry Story <henry.story@bblfish.net> wrote:

> Btw. this follows up on a discussion on the IETF DANE mailing list and the WebID lists, that relates to an IETF proposal to use store signatures in DNSSEC using DANE. In this last part I think I found a reasonable picture of how these can interact.
> 
>   http://lists.w3.org/Archives/Public/public-webid/2012Sep/0163.html
> 
> 
> Henry
> 
> PS. Thanks to Kingsley for helping me use my WebID Certificate to sign e-mails
> 
> 
> On 28 Sep 2012, at 13:36, Kingsley Idehen <kidehen@openlinksw.com> wrote:
> 
>> All,
>> 
>> Bootstrapping anything on the Web requires technology implementer to use (dog-food) whatever technology they seek to promote to others. Thus, I would like to encourage every participant in the RWW and WebID community groups to make a best-effort to start signing emails, moving forward.
>> 
>> Naturally, these emails should be signed using an WebID watermarked X.509 certificate. Certificate generation choices include:
>> 
>> 1. Native generators that come with your desktop OS -- Mac OS X, Windows, and Linux all include such a utility
>> 2. Certificate generators from WebID IdPs -- I have a list here: http://delicious.com/kidehen/webid+webid_idp (ping me if you have a generator that's unlisted) .
>> 
>> Over the last year or so, I've written a number of how-to guides [1] covering how to sign emails across all the major native email clients.
>> 
>> Once again, if we don't sign our emails we loose a simple opportunity to showcase the utility of WebIDs and the WebID authentication protocol. Being able to follow-your-nose from a WebID that watermarks an email senders certificate is a very simple utility showcase for both WebID and Linked Data.
>> 
>> We can do this!
>> 
>> Links:
>> 
>> 1. http://bit.ly/VTnxzz -- collection of G+ hosted howtos (for all the major native email clients) covering how to digitally sign emails .
>> 
>> -- 
>> 
>> Regards,
>> 
>> Kingsley Idehen	
>> Founder & CEO
>> OpenLink Software
>> Company Web: http://www.openlinksw.com
>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca handle: @kidehen
>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>> 
>> 
>> 
>> 
>> 
> 
> Social Web Architect
> http://bblfish.net/
> 

Social Web Architect
http://bblfish.net/



Received on Sunday, 30 September 2012 18:08:07 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 31 March 2013 14:41:00 UTC