W3C home > Mailing lists > Public > public-webid@w3.org > March 2012

Re: Fwd: Re: as trustworthy as the hierarchical CA system currently in place...

From: <nilclass@riseup.net>
Date: Mon, 5 Mar 2012 19:45:01 +0100
Message-ID: <fc105f5e367dafa5befc63fd85dba626.squirrel@fulvetta.riseup.net>
To: public-webid@w3.org
Cc: "elf Pavlik" <perpetual-tripper@wwelves.org>

> --- Begin forwarded message from Henry Story ---
> From: Henry Story <henry.story@bblfish.net>
> To: elf Pavlik <perpetual-tripper@wwelves.org>
> Cc: public-webid <public-webid@w3.org>
> Date: Mon, 05 Mar 2012 13:25:27 +0000
> Subject: Re: as trustworthy as the hierarchical CA system currently in
> place...
> On 4 Mar 2012, at 18:04, elf Pavlik wrote:
>> Hello,
>> After pointing my friend to WebID, he have shared this comment (original
>> linked later):
>> "After reading the WebID specification once again, I'm not so sure
>> anymore, whether I would want to use it.
>> As described in section 2.2, the public key is published via the WebID
>> Profile, which is basically a FOAF profile. While section 3.4.2 does
>> note that "An HTTPS WebID will therefore be a lot more trustworthy than
>> an HTTP WebID by a factor of the likelihood of man in the middle
>> attacks", however the whole system is only as trustworthy as the
>> hierarchical CA system currently in place.
>> How can a web-of-trust be useful, if all the trust is based on a trust
>> system that has been shown to be untrustworthy for more than a decade?"
>> https://heahdk.net/~nil/news/0005-webid-revisited
> Security is like knowledge: it is a modal notion which like knowledge
> comes in degrees. There is
> no such thing as absolute security, and no such thing as absolute
> certainty. This does not mean
> that there is no such thing as knowledge. Read Robert Nozick's section on
> knowledge in his Philosophical
> Explanations, for a good modal analysis [1]


> So we are pragmatic and working with the current CA system which has its
> limitations, but allows us to get
> off the ground. The TLS system can be improved in a number of ways, as
> work by IETF Dane group is  [2]
> is showing or other projects we mentioned on this list (pointers?) where
> people are setting up services
> to verify self signed certificates. One can then go even further and
> develop naming systems that don't rely on
> DNS, but they fall into Zooko's triangle, and are no longer readable. So
> we are here interested in getting
> the basic piece working. Improvemetns can then come in many different
> ways.

I understand the pragmatism and welcome it. Thanks for pointing out the
Dane group, I will start reading there. But I did (and do) think that it
should be made clear, that the knowledge that you have about the
authenticity of a peer after authenticating via WebID is only as likely to
be true, as the whole chain of authentication leading to the conclusion of
that knowledge is likely to be compromised. As with the CA system it is
hard for a regular user to achieve any knowledge about the likelyhood of
that happening, as the closest link in the chain - the certificate issuer
- is usually already a company to which the person doesn't have a personal
relationship. Beyond that, there are more more or less anonymous
companies. The only information on those, that knowledge can be built upon
is public opinion, PR campaigns and a generic belief in righteousness.
But I am don't have any alternative to present right now, so I should
probably stop whining. Anyway, I like the effort of WebID in general and
will start reading this list now.


>   Henry
> [1] https://blogs.oracle.com/bblfish/entry/the_fifth_dimension
> [2] http://tools.ietf.org/wg/dane/
>> Any references to previous discussion on this issue?
>> Thanks!
>> ~ elf Pavlik ~
> Social Web Architect
> http://bblfish.net/
> --- End forwarded message ---
Received on Wednesday, 7 March 2012 14:24:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:39 UTC