Re: WebID and e-mail verification -- was: Getting Serious about WebID Bootstrap

On 30 September 2012 20:07, Henry Story <henry.story@bblfish.net> wrote:

> I just realised something interesting.
>
>    Initially I thought this is problematic. It won't prove anything.
> But I now think I was wrong. WebID verification  on this e-mail
> will tell you that I am http://bblfish.net/people/henry/card#me
> (I think it is still signing). Of course this would require adding a plugin
> to the e-mail client for this to work fluidly.
>
>    But the neat thing is that if your prove that then you also prove than
>
>  <http://bblfish.net/people/henry/card#me> owl:sameAs <mailto:
> henry.story@bblfish.net>
>
> since the  e-mail was sent by someone who had access to the private key of
>      <http://bblfish.net/people/henry/card#me>
>
> So there is no need to add the e-mail to the certificate!
>
> Well not quite. Forging e-mail from fields is probably quite easy. So
> you would know it was sent by someone with WebID
>   <http://bblfish.net/people/henry/card#me>
> But you'd still have the question if it was a forged from field.
> And now it all depends on who you trust more: the http webid or the
> e-mail address. If you have a serious graph of relationships based
> on https WebIDs, the webid may give you enough trust of who i am.
> Also this at least reaches the level of security of current password
> verification schemes on the internet.
>
> So webfinger could help a bit but
> http://tools.ietf.org/html/draft-hoffman-dane-smime-04
> would help a lot more ( if I have understood it as placing in dns the
> signing certificate for certs containing e-mail sans )
>
> What adding the e-mail to the certificate gives you for sure is if you
> want to
> send me an encrypted mail. Then if you have only my e-mail you'd need
> to do a lookup from my e-mail to find my webid. WebFinger would help there.
> But it would be insecure - unless they have found a way to specify a
> default over https.
>
> Interestingly draft-hoffman won't help here either because you can't from
> the signer of my certificate work out what my public key is. They'd have
> to put the certificate for each user with an e-mail in DNSSEC, but then
> DNSSEC would become an e-mail lookup system ready for spamming people.
>
> So we have a situation where a WebID in an e-mail cert goes a lot further
> than I thought! But it is not quite optimal yet.
>

+1

It's not quite sameAs, more a foaf : mbox verification, but can be both DNS
based or PKI based in either or both directions ... the more checks you
pefform the higher your confidence interval.  The beautiful thing about
signing with PKI is that it makes things portable.

One thing to be wary about is that we are already heavily reliant on the
centralization of DNS.  We need to be cautious as to putting too many eggs
in one basket.


>
> Henry
>
>
> On 28 Sep 2012, at 15:07, Henry Story <henry.story@bblfish.net> wrote:
>
> > Btw. this follows up on a discussion on the IETF DANE mailing list and
> the WebID lists, that relates to an IETF proposal to use store signatures
> in DNSSEC using DANE. In this last part I think I found a reasonable
> picture of how these can interact.
> >
> >   http://lists.w3.org/Archives/Public/public-webid/2012Sep/0163.html
> >
> >
> > Henry
> >
> > PS. Thanks to Kingsley for helping me use my WebID Certificate to sign
> e-mails
> >
> >
> > On 28 Sep 2012, at 13:36, Kingsley Idehen <kidehen@openlinksw.com>
> wrote:
> >
> >> All,
> >>
> >> Bootstrapping anything on the Web requires technology implementer to
> use (dog-food) whatever technology they seek to promote to others. Thus, I
> would like to encourage every participant in the RWW and WebID community
> groups to make a best-effort to start signing emails, moving forward.
> >>
> >> Naturally, these emails should be signed using an WebID watermarked
> X.509 certificate. Certificate generation choices include:
> >>
> >> 1. Native generators that come with your desktop OS -- Mac OS X,
> Windows, and Linux all include such a utility
> >> 2. Certificate generators from WebID IdPs -- I have a list here:
> http://delicious.com/kidehen/webid+webid_idp (ping me if you have a
> generator that's unlisted) .
> >>
> >> Over the last year or so, I've written a number of how-to guides [1]
> covering how to sign emails across all the major native email clients.
> >>
> >> Once again, if we don't sign our emails we loose a simple opportunity
> to showcase the utility of WebIDs and the WebID authentication protocol.
> Being able to follow-your-nose from a WebID that watermarks an email
> senders certificate is a very simple utility showcase for both WebID and
> Linked Data.
> >>
> >> We can do this!
> >>
> >> Links:
> >>
> >> 1. http://bit.ly/VTnxzz -- collection of G+ hosted howtos (for all the
> major native email clients) covering how to digitally sign emails .
> >>
> >> --
> >>
> >> Regards,
> >>
> >> Kingsley Idehen
> >> Founder & CEO
> >> OpenLink Software
> >> Company Web: http://www.openlinksw.com
> >> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> >> Twitter/Identi.ca handle: @kidehen
> >> Google+ Profile: https://plus.google.com/112399767740508618350/about
> >> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> >>
> >>
> >>
> >>
> >>
> >
> > Social Web Architect
> > http://bblfish.net/
> >
>
> Social Web Architect
> http://bblfish.net/
>
>

Received on Sunday, 30 September 2012 18:34:42 UTC