- From: Henry Story <henry.story@bblfish.net>
- Date: Sun, 30 Sep 2012 20:07:31 +0200
- To: Read-Write-Web <public-rww@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, WebID XG <public-xg-webid@w3.org>
- Cc: Kingsley Idehen <kidehen@openlinksw.com>
- Message-Id: <1EF53B78-DBF3-4A70-91D6-AFC8227312E0@bblfish.net>
I just realised something interesting. Initially I thought this is problematic. It won't prove anything. But I now think I was wrong. WebID verification on this e-mail will tell you that I am http://bblfish.net/people/henry/card#me (I think it is still signing). Of course this would require adding a plugin to the e-mail client for this to work fluidly. But the neat thing is that if your prove that then you also prove than <http://bblfish.net/people/henry/card#me> owl:sameAs <mailto:henry.story@bblfish.net> since the e-mail was sent by someone who had access to the private key of <http://bblfish.net/people/henry/card#me> So there is no need to add the e-mail to the certificate! Well not quite. Forging e-mail from fields is probably quite easy. So you would know it was sent by someone with WebID <http://bblfish.net/people/henry/card#me> But you'd still have the question if it was a forged from field. And now it all depends on who you trust more: the http webid or the e-mail address. If you have a serious graph of relationships based on https WebIDs, the webid may give you enough trust of who i am. Also this at least reaches the level of security of current password verification schemes on the internet. So webfinger could help a bit but http://tools.ietf.org/html/draft-hoffman-dane-smime-04 would help a lot more ( if I have understood it as placing in dns the signing certificate for certs containing e-mail sans ) What adding the e-mail to the certificate gives you for sure is if you want to send me an encrypted mail. Then if you have only my e-mail you'd need to do a lookup from my e-mail to find my webid. WebFinger would help there. But it would be insecure - unless they have found a way to specify a default over https. Interestingly draft-hoffman won't help here either because you can't from the signer of my certificate work out what my public key is. They'd have to put the certificate for each user with an e-mail in DNSSEC, but then DNSSEC would become an e-mail lookup system ready for spamming people. So we have a situation where a WebID in an e-mail cert goes a lot further than I thought! But it is not quite optimal yet. Henry On 28 Sep 2012, at 15:07, Henry Story <henry.story@bblfish.net> wrote: > Btw. this follows up on a discussion on the IETF DANE mailing list and the WebID lists, that relates to an IETF proposal to use store signatures in DNSSEC using DANE. In this last part I think I found a reasonable picture of how these can interact. > > http://lists.w3.org/Archives/Public/public-webid/2012Sep/0163.html > > > Henry > > PS. Thanks to Kingsley for helping me use my WebID Certificate to sign e-mails > > > On 28 Sep 2012, at 13:36, Kingsley Idehen <kidehen@openlinksw.com> wrote: > >> All, >> >> Bootstrapping anything on the Web requires technology implementer to use (dog-food) whatever technology they seek to promote to others. Thus, I would like to encourage every participant in the RWW and WebID community groups to make a best-effort to start signing emails, moving forward. >> >> Naturally, these emails should be signed using an WebID watermarked X.509 certificate. Certificate generation choices include: >> >> 1. Native generators that come with your desktop OS -- Mac OS X, Windows, and Linux all include such a utility >> 2. Certificate generators from WebID IdPs -- I have a list here: http://delicious.com/kidehen/webid+webid_idp (ping me if you have a generator that's unlisted) . >> >> Over the last year or so, I've written a number of how-to guides [1] covering how to sign emails across all the major native email clients. >> >> Once again, if we don't sign our emails we loose a simple opportunity to showcase the utility of WebIDs and the WebID authentication protocol. Being able to follow-your-nose from a WebID that watermarks an email senders certificate is a very simple utility showcase for both WebID and Linked Data. >> >> We can do this! >> >> Links: >> >> 1. http://bit.ly/VTnxzz -- collection of G+ hosted howtos (for all the major native email clients) covering how to digitally sign emails . >> >> -- >> >> Regards, >> >> Kingsley Idehen >> Founder & CEO >> OpenLink Software >> Company Web: http://www.openlinksw.com >> Personal Weblog: http://www.openlinksw.com/blog/~kidehen >> Twitter/Identi.ca handle: @kidehen >> Google+ Profile: https://plus.google.com/112399767740508618350/about >> LinkedIn Profile: http://www.linkedin.com/in/kidehen >> >> >> >> >> > > Social Web Architect > http://bblfish.net/ > Social Web Architect http://bblfish.net/
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Sunday, 30 September 2012 18:08:07 UTC