RE: World Wide Web of Trust from Peter Williams on 2011-12-21 (public-xg-webid@w3.org from December 2011)

From: Peter Williams <home_pw@msn.com>
Date: Wed, 21 Dec 2011 03:19:44 -0800
To: <mo.mcroberts@bbc.co.uk>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>, <foaf-protocols@lists.foaf-project.org>
Message-ID: <SNT143-W17D11C2E72AF5D80787C5B92A50@phx.gbl>

 > From: mo.mcroberts@bbc.co.uk
> Date: Wed, 21 Dec 2011 10:49:11 +0000
> CC: henry.story@bblfish.net; public-xg-webid@w3.org; foaf-protocols@lists.foaf-project.org
> (Note also that that an RSA or DSA key used to create/encapsulated within a WebID certificate can also be expressed as a PGP key...)
> 
> M.
This is logically true. Any blob can be re-packaged and indexed in a unique repository, assumings it is public data with bears no copyright or other use controls. At higher assurance levels, its not a valid argument however. In a better class cert-using system, if one is about to use 2 peer's RSA-signed certs with DH keying material to do key agreement (as in Google's better-class TLS, in Chrome), the client UA will not engage in the element of proceedure called key agreement unless the pre-conditions are met. that is the software user-agent requires and enforces minimum conformance. Though you can take the public cert and strip out its key, package it up as a PGP formatted blob, and indeed use it in a PGP-grade system also doing DH key agreement, you cannot do the reverse. You cannot take the PGP blob and make a cert. Not only must tbe cert be signed by a party to the [industrial/comsec] control system, but it must have that format - as enforced by the cert-using system. For in the cert are various control extensions - that guard against infrastrcuture attacks (that the PGP community typically cares little about). Yes, one can argue that X509 as practicsed in the web is not much better than PGP - but that is a function of its vendors, economic pressures, goverment policy (that cannot decide if its stalin or mother teresa), the user type and the community standards and goals (not the technology, when the art is practiced professionally with proper funding, proper training, proper indoctrination of staff, etc etc). Remember, the web is a low assurnace environment, aiming at 80% quality, most of the time. Crypto has to fit, that goal set. It has to be able to be upgraded for the fewer cases that demand more, when using the same software. Thus, your windows box has to come from the retail store with one group of settings, assume that the user will then turn off all those damn-annoying security features, use some third party software that convers the cert into a pgp blob, and then ALSO be selectively upgraded when talking to certain sites (like banking) when protecting against poor design (that created the world of spam, porn virus, sip viruses, abd web phishing.) Its hard meeting 100 needs at the same time, all conflicting. but we are doing ok. 20 years ago there was nothing. now there are billion of systems doing "reasonable" stuff.

Received on Wednesday, 21 December 2011 11:20:21 UTC