Re: WebID discussion in Debian from Henry Story on 2013-05-15 (public-webid@w3.org from May 2013)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 15 May 2013 12:11:47 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Jonas Smedegaard <dr@jones.dk>, public-webid <public-webid@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>
Message-Id: <970DDAA3-E112-4463-B4DD-C33ADE2E9CE1@bblfish.net>
On 15 May 2013, at 12:02, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

> 
> 
> 
> On 15 May 2013 11:20, Jonas Smedegaard <dr@jones.dk> wrote:
> [continuing list+private, as I seem still blocked from the list]
> 
> Quoting Melvin Carvalho (2013-05-15 09:48:44)
> > Para (1) -- Russ is correct ... if your HTTP URI is not https you can
> > be impersonated via MITM.  The natural conclusion is to think that you
> > need a CA certificate.  But that's only on first call, and assumes you
> > dont have a normative key cached.  Every time you notice a key change
> > you should be suspicious (as with SSH) ... but this is not documented
> > in the spec, afaik.
> 
> So would the below - which I think is more clear also for the
> anti-CA-cartel people in Debian - be correct?:
> 
> Yes, avoid unencrypted HTTP (i.e. https or .onion or some other mean),
> but no need to trust CA for the server cert: Similar to SSH you can
> instead maintain your own list of trusted certs (e.g. using
> Monkeysphere).
> 
> http://web.monkeysphere.info/
> 
> That's a nice way to put it yes.  
> 
> Side note: I *purposefully* use http and run the risk of MITM because there's not too much damage that can be done right now, and in the long term we want solutions that do not require the CA cartel.  I would use https currently for things like payments ontologies or identity providers and just pay a CA.
> 
>  
> 
> [a few understood and agreed upon remarks skipped]
> 
> > Para (4) -- WebID is about distributed identity.  WebID+TLS (which is
> > actually +FOAF+RSA) is one authentication method layered on top of
> > WebID.  People almost always couple the two together, and I dont think
> > the community really emphasises the value proposition of the
> > modularity.  This goes back to the days when WebID was called FOAF+SSL
> > ... today FOAF isnt mentioned in the core WebID spec.
> 
> Now you got even me confused (so no doubt have lost most of Debian!):
> I've heard about FOAF+SSL and WebID, but not FOAF+RSA or WebID+TLS.
> 
> So in TPAC 6 months ago we decided to split webid into two parts formally:
> 
> 1. Webid -- Identity (for which there is a new spec)
> 2. WebID+TLS which is an authentication example.  Currently the WebID+TLS spec actually has dependencies on FOAF and RSA keys ... so technically it is more like WebID+TLS+FOAF+RSA

It helps to add links to the specs when mentioning these:
    https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
    https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html

btw the link from from the current spec that points to the latest version points here:
   https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html

It currently redirects after a few seconds to the tls-respec. Could someone 
make a very nice version of that page so that it does not redirect but just points
to both specs with a short summary?  That would be very nice.

> 
> What we're going for is a clean separation of concerns with many possible auth layers built on top of a solid identity system.
>  
> 
> If you mean to say that WebID is *not* tied to TLS, then perhaps it is
> better to point that out without adding _more_ new words.
> 
> When Russ says "do we really need [...FOAF]" then he is most likely
> referring to our PGP-based Web of Trust (possibly the largest in the
> World!).
> 
> Side note:  The PGP strong set is about 40k?  FOAF is much bigger as a DNS based WOT.  But facebook is biggest still.  Much depends on your perspective.
>  
> 
> Is he essentially correct that a) WebID is about *both* authentication
> and distributed identity management, and that b) when we already have
> strong distributed identity management with our PGP WoT then WebID is
> arguably unnecessary bloat?
> 
> We try and separate these two concepts (identity and authentication) as above, but it's a recent evolution so maybe not that well explained.
> 
> Id actually love to see the PGP WoT and the Web WoT be one big system.  WebID is primarily HTTP based with GET used as discovery.  PGP is primarily email based (with keyservers for discovery?) and both have (generally RSA) keys and some meta data.  GPG has the advantage of some great tools and security, the web has the advantage of delivery to a wide audience.  Maybe one day this dream will come true.  As of today, it would be really great to find some common ground, leading to convergence, rather than the either/or perspectives.
>  
> 
> Seems to me that you are not really (or only) addressing that point in
> your remark above.
> 
> I think I covered a few this (maybe too many!) to try and clarify the current state of WebID
>  
> 
> 
> > Quick Question: does debian have a CA, or is this a proposal?
> 
> Debian uses [SPI] as CA.  SPI currently issue certs on their own but is
> considering moving to chained certs under some cartel member (StartCom,
> if I recall correctly).
> 
> But this is not a discussion on "how do we handle our web certs".  It is
> a discussion on "how do we authenticate members of our community" and
> (some in) Debian is fundamentally sceptical to the CA cartel and the
> whole hierarchical trust structure of certs - even if being pragmatic
> towards the public and using such certs at public-facing services.
> 
> Sure, we're mostly skeptical too :)
>  
> 
> 
> Please also read the follow-up by Daniel.
> 
> Russ has been with Debian since forever, and is excellent at keeping
> separate own opinions from general views of the project.
> 
> Daniel is slightly younger in Debian (about 10 years like myself, I
> think) and knows his way around crypto + can explain it in simple terms
> - he is involved in the development of Monkeysphere.
> 
> Yes I know daniel from freedombox, we had a similar conversation, and he's helped me a few times on the GPG user's list.
> 
> In summary, technologies like GPG, WebID, DANE/DNSSEC, monkeysphere and even FOAF have a lot in common in terms of the problems we're trying to solve.  If somehow we can learn to work together (based on the URI for email/http/key data) we could maybe build something really great.
>  
> 
> 
>  - Jonas
> 
> 
> [SPI]: http://www.spi-inc.org/
> 
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
> 
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 15 May 2013 10:12:23 UTC