Re: WebID and e-mail verification -- was: Getting Serious about WebID Bootstrap from Henry Story on 2012-10-01 (public-xg-webid@w3.org from October 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 1 Oct 2012 13:14:27 +0200
To: Carvalho Melvin <melvincarvalho@gmail.com>, Read-Write-Web <public-rww@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, WebID XG <public-xg-webid@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>
Message-Id: <DDC6A042-9BD6-4641-9E70-8EDB9C001B46@bblfish.net>
On 30 Sep 2012, at 20:38, Henry Story <henry.story@bblfish.net> wrote:

> 
> On 30 Sep 2012, at 20:34, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
> 
>> 
>> 
>> On 30 September 2012 20:07, Henry Story <henry.story@bblfish.net> wrote:
>> I just realised something interesting.
>> 
>>    Initially I thought this is problematic. It won't prove anything.
>> But I now think I was wrong. WebID verification  on this e-mail
>> will tell you that I am http://bblfish.net/people/henry/card#me
>> (I think it is still signing). Of course this would require adding a plugin
>> to the e-mail client for this to work fluidly.
>> 
>>    But the neat thing is that if your prove that then you also prove than
>> 
>>  <http://bblfish.net/people/henry/card#me> owl:sameAs <mailto:henry.story@bblfish.net>
>> 
>> since the  e-mail was sent by someone who had access to the private key of
>>      <http://bblfish.net/people/henry/card#me>
>> 
>> So there is no need to add the e-mail to the certificate!
>> 
>> Well not quite. Forging e-mail from fields is probably quite easy. So
>> you would know it was sent by someone with WebID
>>   <http://bblfish.net/people/henry/card#me>
>> But you'd still have the question if it was a forged from field.
>> And now it all depends on who you trust more: the http webid or the
>> e-mail address. If you have a serious graph of relationships based
>> on https WebIDs, the webid may give you enough trust of who i am.
>> Also this at least reaches the level of security of current password
>> verification schemes on the internet.
>> 
>> So webfinger could help a bit but
>> http://tools.ietf.org/html/draft-hoffman-dane-smime-04
>> would help a lot more ( if I have understood it as placing in dns the
>> signing certificate for certs containing e-mail sans )
>> 
>> What adding the e-mail to the certificate gives you for sure is if you want to
>> send me an encrypted mail. Then if you have only my e-mail you'd need
>> to do a lookup from my e-mail to find my webid. WebFinger would help there.
>> But it would be insecure - unless they have found a way to specify a
>> default over https.
>> 
>> Interestingly draft-hoffman won't help here either because you can't from
>> the signer of my certificate work out what my public key is. They'd have
>> to put the certificate for each user with an e-mail in DNSSEC, but then
>> DNSSEC would become an e-mail lookup system ready for spamming people.
>> 
>> So we have a situation where a WebID in an e-mail cert goes a lot further
>> than I thought! But it is not quite optimal yet.
>> 
>> +1 
>> 
>> It's not quite sameAs, more a foaf : mbox verification, but can be both DNS based or PKI based in either or both directions ... the more checks you pefform the higher your confidence interval.  The beautiful thing about signing with PKI is that it makes things portable.
>> 
>> One thing to be wary about is that we are already heavily reliant on the centralization of DNS.  We need to be cautious as to putting too many eggs in one basket.

DNSSEC is also very important for Tor btw. Without DNSSEC it is easy for governments 
to break into a DNS, and redirect all web requests for Tor to cloned sites that contain 
links to Trojaned software. Similaraly Debian is using it too, if one is to believe Peter
Palfrader's e-mail to the Dane working group at the IETF: 

  http://www.ietf.org/mail-archive/web/dane/current/msg05235.html

It could well be that Tor is very useful to DNS admins to send around keys in a different system
that would not rely on DNS....

> 
> I'll be putting together some Tor based demos with WebID later this year. So lets not worry about DNS.
> Just use what works and build on clean architecture. Then when things improve you can move on
> with minimal restructuring - just change your URIs. 
> 
> TOR should be easy for WebID: they also work with URIs: .onion ones. So one could put .onion URIs
> in the SAN of a certificate.
> 
>>  
>> 
>> Henry
>> 
>> 
>> On 28 Sep 2012, at 15:07, Henry Story <henry.story@bblfish.net> wrote:
>> 
>> > Btw. this follows up on a discussion on the IETF DANE mailing list and the WebID lists, that relates to an IETF proposal to use store signatures in DNSSEC using DANE. In this last part I think I found a reasonable picture of how these can interact.
>> >
>> >   http://lists.w3.org/Archives/Public/public-webid/2012Sep/0163.html
>> >
>> >
>> > Henry
>> >
>> > PS. Thanks to Kingsley for helping me use my WebID Certificate to sign e-mails
>> >
>> >
>> > On 28 Sep 2012, at 13:36, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>> >
>> >> All,
>> >>
>> >> Bootstrapping anything on the Web requires technology implementer to use (dog-food) whatever technology they seek to promote to others. Thus, I would like to encourage every participant in the RWW and WebID community groups to make a best-effort to start signing emails, moving forward.
>> >>
>> >> Naturally, these emails should be signed using an WebID watermarked X.509 certificate. Certificate generation choices include:
>> >>
>> >> 1. Native generators that come with your desktop OS -- Mac OS X, Windows, and Linux all include such a utility
>> >> 2. Certificate generators from WebID IdPs -- I have a list here: http://delicious.com/kidehen/webid+webid_idp (ping me if you have a generator that's unlisted) .
>> >>
>> >> Over the last year or so, I've written a number of how-to guides [1] covering how to sign emails across all the major native email clients.
>> >>
>> >> Once again, if we don't sign our emails we loose a simple opportunity to showcase the utility of WebIDs and the WebID authentication protocol. Being able to follow-your-nose from a WebID that watermarks an email senders certificate is a very simple utility showcase for both WebID and Linked Data.
>> >>
>> >> We can do this!
>> >>
>> >> Links:
>> >>
>> >> 1. http://bit.ly/VTnxzz -- collection of G+ hosted howtos (for all the major native email clients) covering how to digitally sign emails .
>> >>
>> >> --
>> >>
>> >> Regards,
>> >>
>> >> Kingsley Idehen
>> >> Founder & CEO
>> >> OpenLink Software
>> >> Company Web: http://www.openlinksw.com
>> >> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>> >> Twitter/Identi.ca handle: @kidehen
>> >> Google+ Profile: https://plus.google.com/112399767740508618350/about
>> >> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> > Social Web Architect
>> > http://bblfish.net/
>> >
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
> 
> Social Web Architect
> http://bblfish.net/
> 

Social Web Architect
http://bblfish.net/
Attachments

application/pkcs7-signature attachment: smime.p7s
Received on Monday, 1 October 2012 11:15:07 UTC