W3C home > Mailing lists > Public > public-webid@w3.org > March 2012

Re: as trustworthy as the hierarchical CA system currently in place...

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 05 Mar 2012 07:21:54 -0500
Message-ID: <4F54AFE2.5060601@openlinksw.com>
To: public-webid@w3.org
On 3/5/12 5:46 AM, elf Pavlik wrote:
> Excerpts from Melvin Carvalho's message of 2012-03-04 21:00:08 +0000:
>> On 4 March 2012 18:04, elf Pavlik<perpetual-tripper@wwelves.org>  wrote:
>>
>>> Hello,
>>>
>>> After pointing my friend to WebID, he have shared this comment (original
>>> linked later):
>>>
>>> "After reading the WebID specification once again, I'm not so sure
>>> anymore, whether I would want to use it.
>>>
>>> As described in section 2.2, the public key is published via the WebID
>>> Profile, which is basically a FOAF profile. While section 3.4.2 does note
>>> that "An HTTPS WebID will therefore be a lot more trustworthy than an HTTP
>>> WebID by a factor of the likelihood of man in the middle attacks", however
>>> the whole system is only as trustworthy as the hierarchical CA system
>>> currently in place.
>>>
>>> How can a web-of-trust be useful, if all the trust is based on a trust
>>> system that has been shown to be untrustworthy for more than a decade?"
>>>
>>> https://heahdk.net/~nil/news/0005-webid-revisited
>>>
>> Certificates are self signed, so a CA is never involved.
> yeah client certs we use for WebID we can sign ourselves but since we rely on fetching public key over HTTPS from domain in Subject Alternative Name (which i remember you pointed that most people use http WebIDs )
>
> trying https connections to domains of people your website states that you know:
> https://bblfish.net/ - (exception - common name www.foafssl.org) issuer: StartCom Ltd.
> https://webr3.org/ - (exception - common name ssl.data.fm) issuer: StartCom Ltd.
> https://tobyinkster.co.uk/ (self signed)
> https://sw-app.org/ (Error code: ssl_error_rx_record_too_long)
> https://wojciechpolak.org/ (exception) issuer: gnu.org.ua
> https://fcns.eu/ issuer: Alpha CA
> https://id.myopenlink.net/ issuer: Thawte Premium Server CA
> https://bart.netage.nl/ (exception - common name *.resc.info) issuer: GlobalSign Domain Validation CA
> https://presbrey.mit.edu/ (exception - common name *.scripts.mit.edu) issuer: Equifax Secure Certificate Authority
> https://melvincarvalho.com/ (Error code: ssl_error_rx_record_too_long)
>
> just using firefox with its bundled cert authorities...
>
> how does statement from spec holds without depending on current hierarchical CA system?

We've opted to identify our servers with certificates as part of our 
desire to negate the scary warnings from browsers. Same applies to the 
use of these CA notarized certificates for optional signing by our local 
instance. These are just options. Nothing to do with the essence of WebID.

> "An HTTPS WebID will therefore be a lot more trustworthy than an HTTP WebID by a factor of the likelihood of man in the middle attacks."

No, not until you prove to me how you are going to head fake my verifier 
to a graph that holds a mirror of my WebID and Public key using terms 
from the cert. ontology that drives the system. Why not just prove it 
instead of speculating?

Kingsley
>
> thanks for helping me with clarifying it =)
> ~ elf pavlik ~
>
>


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen








Received on Monday, 5 March 2012 12:22:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:33 UTC