- From: Henry Story <henry.story@bblfish.net>
- Date: Mon, 1 Nov 2010 16:49:02 +0100
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: nathan@webr3.org, Ivan Herman <ivan@w3.org>, Juriy Katkov <katkov.juriy@gmail.com>, Semantic Web <semantic-web@w3.org>
On 1 Nov 2010, at 15:06, Melvin Carvalho wrote: >> (I really go into this at length here >> http://www.slideshare.net/bblfish/philosophy-and-the-social-web-5583083 ) >> >>> If however one was to do something like sign their URI with their private key and pop the signature in the graph, then you could establish that they do or did hold that key simply by considering the RDF. >> >> So what are the attack vectors that our current implementations are at risk of, since they do not >> implement this. If you are adding a new feature, then there must be something that it is fixing, right? > > This came up while discussing PGP key signing and Web of Trust. See below: > > http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#web_of_trust_definition Yes, that is the PGP Web of Trust definition. Perhaps we should call the WebID/foaf method the Referential Web of Trust solution. There is a huge difference. I go into that in the slideshare video linked to above. The difference between the two methods is also illustrated here http://esw.w3.org/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F > You can digitally sign your own public key packet and any associated > id in that public key, or another entity's public key packet and > associated user ids. Self signatures prevent adversaries from > appending fake encryption or signature keys on your public key > material while it is stored publicly or while it is being transmitted. Part of the reason they have this problem is that the PGP keys get stored on public servers where everyone has write access. So yes signing your key material is very important in that regard. But there are many issues with doing things that way. > If an adversary were able to add a fake encryption or signature key, > they could add a public key packet to which only they posses the > private key. This could result in an individual who wishes to > communicate with you in secret inadvertently transmitting their > communication to the person that serendipitously modified your public > key in transit. By default, GnuPG and most other implementation of the > openPGP standard automatically perform self signature on all User ID > packets generated for a public key. With WebId we solve this problem by doing just-in-time encryption using SSL on the server. And this works because we do things semantically: ie we make use of referents. > > In a sense, key signatures validate public keys. They are an > endorsement of validity of a public key packet and associated id by a > third party. This is the way in which key signing builds the web of > trust. It builds the PGP Web of Trust. The Referential Web of trust is built by linking foaf profiles together. One can get very far with that without any encryption at all. The Web as it currently is works that way! Henry Social Web Architect http://bblfish.net/
Received on Monday, 1 November 2010 15:49:39 UTC