Re: as trustworthy as the hierarchical CA system currently in place... from elf Pavlik on 2012-03-05 (public-webid@w3.org from March 2012)

From: elf Pavlik <perpetual-tripper@wwelves.org>
Date: Mon, 05 Mar 2012 10:46:48 +0000
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: public-webid <public-webid@w3.org>
Message-Id: <1330942097-sup-1114@heahdk.net>

Excerpts from Melvin Carvalho's message of 2012-03-04 21:00:08 +0000:
> On 4 March 2012 18:04, elf Pavlik <perpetual-tripper@wwelves.org> wrote:
> 
> > Hello,
> >
> > After pointing my friend to WebID, he have shared this comment (original
> > linked later):
> >
> > "After reading the WebID specification once again, I'm not so sure
> > anymore, whether I would want to use it.
> >
> > As described in section 2.2, the public key is published via the WebID
> > Profile, which is basically a FOAF profile. While section 3.4.2 does note
> > that "An HTTPS WebID will therefore be a lot more trustworthy than an HTTP
> > WebID by a factor of the likelihood of man in the middle attacks", however
> > the whole system is only as trustworthy as the hierarchical CA system
> > currently in place.
> >
> > How can a web-of-trust be useful, if all the trust is based on a trust
> > system that has been shown to be untrustworthy for more than a decade?"
> >
> > https://heahdk.net/~nil/news/0005-webid-revisited
> >
> 
> Certificates are self signed, so a CA is never involved.
yeah client certs we use for WebID we can sign ourselves but since we rely on fetching public key over HTTPS from domain in Subject Alternative Name (which i remember you pointed that most people use http WebIDs )

trying https connections to domains of people your website states that you know:
https://bblfish.net/ - (exception - common name www.foafssl.org) issuer: StartCom Ltd.
https://webr3.org/ - (exception - common name ssl.data.fm) issuer: StartCom Ltd.
https://tobyinkster.co.uk/ (self signed)
https://sw-app.org/ (Error code: ssl_error_rx_record_too_long)
https://wojciechpolak.org/ (exception) issuer: gnu.org.ua
https://fcns.eu/ issuer: Alpha CA
https://id.myopenlink.net/ issuer: Thawte Premium Server CA
https://bart.netage.nl/ (exception - common name *.resc.info) issuer: GlobalSign Domain Validation CA
https://presbrey.mit.edu/ (exception - common name *.scripts.mit.edu) issuer: Equifax Secure Certificate Authority
https://melvincarvalho.com/ (Error code: ssl_error_rx_record_too_long)

just using firefox with its bundled cert authorities...

how does statement from spec holds without depending on current hierarchical CA system?
"An HTTPS WebID will therefore be a lot more trustworthy than an HTTP WebID by a factor of the likelihood of man in the middle attacks."

thanks for helping me with clarifying it =)
~ elf pavlik ~

Received on Monday, 5 March 2012 10:47:30 UTC