- From: <nilclass@riseup.net>
- Date: Mon, 5 Mar 2012 19:45:01 +0100
- To: public-webid@w3.org
- Cc: "elf Pavlik" <perpetual-tripper@wwelves.org>
> --- Begin forwarded message from Henry Story --- > From: Henry Story <henry.story@bblfish.net> > To: elf Pavlik <perpetual-tripper@wwelves.org> > Cc: public-webid <public-webid@w3.org> > Date: Mon, 05 Mar 2012 13:25:27 +0000 > Subject: Re: as trustworthy as the hierarchical CA system currently in > place... > > > On 4 Mar 2012, at 18:04, elf Pavlik wrote: > >> Hello, >> >> After pointing my friend to WebID, he have shared this comment (original >> linked later): >> >> "After reading the WebID specification once again, I'm not so sure >> anymore, whether I would want to use it. >> >> As described in section 2.2, the public key is published via the WebID >> Profile, which is basically a FOAF profile. While section 3.4.2 does >> note that "An HTTPS WebID will therefore be a lot more trustworthy than >> an HTTP WebID by a factor of the likelihood of man in the middle >> attacks", however the whole system is only as trustworthy as the >> hierarchical CA system currently in place. >> >> How can a web-of-trust be useful, if all the trust is based on a trust >> system that has been shown to be untrustworthy for more than a decade?" >> >> https://heahdk.net/~nil/news/0005-webid-revisited > > Security is like knowledge: it is a modal notion which like knowledge > comes in degrees. There is > no such thing as absolute security, and no such thing as absolute > certainty. This does not mean > that there is no such thing as knowledge. Read Robert Nozick's section on > knowledge in his Philosophical > Explanations, for a good modal analysis [1] True. > > So we are pragmatic and working with the current CA system which has its > limitations, but allows us to get > off the ground. The TLS system can be improved in a number of ways, as > work by IETF Dane group is [2] > is showing or other projects we mentioned on this list (pointers?) where > people are setting up services > to verify self signed certificates. One can then go even further and > develop naming systems that don't rely on > DNS, but they fall into Zooko's triangle, and are no longer readable. So > we are here interested in getting > the basic piece working. Improvemetns can then come in many different > ways. I understand the pragmatism and welcome it. Thanks for pointing out the Dane group, I will start reading there. But I did (and do) think that it should be made clear, that the knowledge that you have about the authenticity of a peer after authenticating via WebID is only as likely to be true, as the whole chain of authentication leading to the conclusion of that knowledge is likely to be compromised. As with the CA system it is hard for a regular user to achieve any knowledge about the likelyhood of that happening, as the closest link in the chain - the certificate issuer - is usually already a company to which the person doesn't have a personal relationship. Beyond that, there are more more or less anonymous companies. The only information on those, that knowledge can be built upon is public opinion, PR campaigns and a generic belief in righteousness. But I am don't have any alternative to present right now, so I should probably stop whining. Anyway, I like the effort of WebID in general and will start reading this list now. '() > > Henry > > > > [1] https://blogs.oracle.com/bblfish/entry/the_fifth_dimension > [2] http://tools.ietf.org/wg/dane/ > >> >> Any references to previous discussion on this issue? >> Thanks! >> ~ elf Pavlik ~ >> > > Social Web Architect > http://bblfish.net/ > --- End forwarded message --- >
Received on Wednesday, 7 March 2012 14:24:20 UTC