- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Mon, 05 Mar 2012 07:21:54 -0500
- To: public-webid@w3.org
- Message-ID: <4F54AFE2.5060601@openlinksw.com>
On 3/5/12 5:46 AM, elf Pavlik wrote: > Excerpts from Melvin Carvalho's message of 2012-03-04 21:00:08 +0000: >> On 4 March 2012 18:04, elf Pavlik<perpetual-tripper@wwelves.org> wrote: >> >>> Hello, >>> >>> After pointing my friend to WebID, he have shared this comment (original >>> linked later): >>> >>> "After reading the WebID specification once again, I'm not so sure >>> anymore, whether I would want to use it. >>> >>> As described in section 2.2, the public key is published via the WebID >>> Profile, which is basically a FOAF profile. While section 3.4.2 does note >>> that "An HTTPS WebID will therefore be a lot more trustworthy than an HTTP >>> WebID by a factor of the likelihood of man in the middle attacks", however >>> the whole system is only as trustworthy as the hierarchical CA system >>> currently in place. >>> >>> How can a web-of-trust be useful, if all the trust is based on a trust >>> system that has been shown to be untrustworthy for more than a decade?" >>> >>> https://heahdk.net/~nil/news/0005-webid-revisited >>> >> Certificates are self signed, so a CA is never involved. > yeah client certs we use for WebID we can sign ourselves but since we rely on fetching public key over HTTPS from domain in Subject Alternative Name (which i remember you pointed that most people use http WebIDs ) > > trying https connections to domains of people your website states that you know: > https://bblfish.net/ - (exception - common name www.foafssl.org) issuer: StartCom Ltd. > https://webr3.org/ - (exception - common name ssl.data.fm) issuer: StartCom Ltd. > https://tobyinkster.co.uk/ (self signed) > https://sw-app.org/ (Error code: ssl_error_rx_record_too_long) > https://wojciechpolak.org/ (exception) issuer: gnu.org.ua > https://fcns.eu/ issuer: Alpha CA > https://id.myopenlink.net/ issuer: Thawte Premium Server CA > https://bart.netage.nl/ (exception - common name *.resc.info) issuer: GlobalSign Domain Validation CA > https://presbrey.mit.edu/ (exception - common name *.scripts.mit.edu) issuer: Equifax Secure Certificate Authority > https://melvincarvalho.com/ (Error code: ssl_error_rx_record_too_long) > > just using firefox with its bundled cert authorities... > > how does statement from spec holds without depending on current hierarchical CA system? We've opted to identify our servers with certificates as part of our desire to negate the scary warnings from browsers. Same applies to the use of these CA notarized certificates for optional signing by our local instance. These are just options. Nothing to do with the essence of WebID. > "An HTTPS WebID will therefore be a lot more trustworthy than an HTTP WebID by a factor of the likelihood of man in the middle attacks." No, not until you prove to me how you are going to head fake my verifier to a graph that holds a mirror of my WebID and Public key using terms from the cert. ontology that drives the system. Why not just prove it instead of speculating? Kingsley > > thanks for helping me with clarifying it =) > ~ elf pavlik ~ > > -- Regards, Kingsley Idehen Founder& CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Monday, 5 March 2012 12:22:18 UTC