- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Fri, 14 Jun 2013 12:10:18 -0400
- To: public-webid@w3.org
- CC: "foaf-protocols@lists.foaf-project.org" <foaf-protocols@lists.foaf-project.org>
- Message-ID: <51BB406A.50800@openlinksw.com>
On 6/14/13 11:42 AM, Peter Williams wrote: > that's a big change - doing away with the notion that https (because > its ubiquitous ) had/has some mystical privacy-enhancing power; or > that certs in x.509 or jwt form have some special properties. Yes! > Folks now know now generally that crypto solves nothing (if the > trusted vendors are not so trustworthy as previously believed). It's the application of crypto, within the context of logic, that has tangible utility. > Folks do now assume that AT ONE LEVEL OR ANOTHER technology subject to > public policy (and that includes the web) is tracking you; and the > crypto present in commodity-grade https does nothing to address that. > IN fact, its there to facilitate and make it easier to accomplish. Yes! That's always the endgame when the following intersect: 1. centralization 2. misguided ambivalence -- on the part of users that are increasingly cognitively dissonant about the complex issue of privacy, magnified by the Web and Internet. > The more security engineering folks should have been taught that > crypto is about the exact opposite - being actually all about > (security policy) accountability. I.e. track that document number, > track that distribution list, track that set of edits, and track those > changes in security markings (every 10 years...). Its there to impose > “double entry” bookkeeping, for a distributed set of books. Nice analogy. > I have seen three security model and philosophies applied to FOAF: i) > PGP-ish key distribution that actually used the metadata-approach to > design, ii) the DARPA-sponsored use of SPARQL-like queries to define > remote operation protocols, iii) webid, and its early attempt to > bridge the 2 2 worlds of information queries and data protocols while > not straying from the assumptions of REST - that defines how the web > world is supposed to build such bridges. > is obscurity number four? is his the return of the world of personal > codebooks, semantic and semiotic countermeasures? This is likely to be > more successful than pitching a defense based on using machines to > guard against machine attack. > > As always security scheme design is about designing for the complexity > of decoding. So design encoders that force use of (time-) expensive > decoders. In that window of complexity, you have a security measure > (the time it takes to decode). Your security model has to be based on > the military notion that: I want it secret for X time (after which the > metadata has little value, anyways). But you can use logic to warp time, even more so if the logic becomes webby :-) Anyway, take a look at: http://youid.openlinksw.com -- it is in quiet release mode (i.e., progressive addition of screencasts and tutorials en route to helping consumers understand their ability to control and calibrate their vulnerabilities online). Kingsley > Sent from Windows Mail > *From:* Melvin Carvalho > *Sent:* Friday, June 14, 2013 8:40 AM > *To:* Peter Williams > *Cc:* public-webid Group, Henry Story, > foaf-protocols@lists.foaf-project.org > > > > On 14 June 2013 17:20, Peter Williams <home_pw@msn.com > <mailto:home_pw@msn.com>> wrote: > > When it was written, the public didn't know the meaning of the > term metadata. Now they do - educated by means of showing privacy > vulnerabilities specific to a web “founded on” insecure metadata. > And they have a good intuition of specifically -”social” class of > threat models specific to metadata. They also have a mental model > of how vendors, contractors and security professionals may be part > of the threat (to personal privacy invasion); willingly or otherwise. > For a specifically social trust protocol the change in the > public’s perceptions and education level on the threats they face > does changes the (scope of the) problem. The freedom box is now > perceived to be not so free (depending on context); and may be > actually rather worthless, unless you count the “feel good” factor. > How does WebID - in its updated philosophy - address the newly > revealed threat of specifically institutional snooping? > > > WebID is no longer tied to X.509 certs, it's just a linked data > identifer. This is useful for discovery, friending, annotation and a > whole host of other things, one of which is auth. > > WebID+TLS is an X.509 based method to use RSA keys to authenticate > over TLS. > > WebID+WebKeys is a method to use any kind of key to authenticate over > any protocol including javascript/websockets. > > WebID Simple (proposed) is a way to identify and authenticate via > security by obscurity > > You can add many more auth systems onto this list, as you come up with > them. > > If I look back at the concept of the VeriSign cert in > netscape-grade https, it was specifically intended (by VISA) to be > a feel good security technology, note, no ifs, no buts, no > caveats. It was to change nothing (but make you feel good about > the new internet threats that came into the concept set of the > general public, circa 1994). > Sent from Windows Mail > *From:* Henry Story > *Sent:* Friday, June 14, 2013 2:36 AM > *To:* public-webid Group > *Cc:* foaf-protocols@lists.foaf-project.org > <mailto:foaf-protocols@lists.foaf-project.org> > > On 13 Jun 2013, at 22:31, Henry Story <henry.story@bblfish.net > <mailto:henry.story@bblfish.net>> wrote: > > > Yes, we have two specs: > > > > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html > > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html > > > > I am not sure why we don't get the full html view anymore. > > Anyone know what we need to change? > > I fixed these. The problem is related to the move to the new > respec.js https://github.com/darobin/respec/ > > It no longer allows one to add spec refs to the js as one used > to be able to > > see diff https://dvcs.w3.org/hg/WebID/rev/7f01174c75b0 > > So the TLS spec now is missing two references > > [[ > berjon.biblio["RFC5746"] = "E. Rescorla, M. Ray, S. Dispensa, N. > Oskov, <a href=\"http://tools.ietf.org/html/rfc5746\"><cite > <http://tools.ietf.org/html/rfc5746%5c%22%3e%3ccite>>Transport > Layer Security (TLS) Renegotiation Indication Extension</cite></a> > February 2010. Internet RFC 5246. URL: <a > href=\"http://tools.ietf.org/html/rfc5746\">http://tools.ietf.org/html/rfc5746</a > <http://tools.ietf.org/html/rfc5746%5c%22%3ehttp://tools.ietf.org/html/rfc5746%3c/a>> > "; > > berjon.biblio["WEBID"] = "Andrei Sambra, Stéphane Corlosquet. > <a > href='https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html' > ]] > > Any idea how one can get those added to the code using the new > specref? > > https://github.com/tobie/specref > > > > > > > > We split the identity part from the TLS part, and we have a > definition > > of WebID that is simple and implementable. Also a bit of > philosophical > > > > We should be close to a new release. All we need is one document > > to describe the other two docs. And perhaps a few tweaks.... > > > > Henry > > > > Begin forwarded message: > > > >> From: Dan Brickley <danbri@danbri.org <mailto:danbri@danbri.org>> > >> Subject: [foaf-protocols] WebID status recap? > >> Date: 13 June 2013 21:39:26 CEST > >> To: foaf-protocols@lists.foaf-project.org > <mailto:foaf-protocols@lists.foaf-project.org> > >> > >> It's mid-2013. Can someone share an overview of the current > status of > >> WebID aka foaf+ssl, in terms of implementations, adoption and > >> documentation at W3C? > >> > >> Thanks, > >> > >> Dan > >> _______________________________________________ > >> foaf-protocols mailing list > >> foaf-protocols@lists.foaf-project.org > <mailto:foaf-protocols@lists.foaf-project.org> > >> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols > > > > Social Web Architect > > http://bblfish.net/ > > > > Social Web Architect > http://bblfish.net/ > > _______________________________________________ > foaf-protocols mailing list > foaf-protocols@lists.foaf-project.org > <mailto:foaf-protocols@lists.foaf-project.org> > http://lists.foaf-project.org/mailman/listinfo/foaf-protocols > > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Friday, 14 June 2013 16:10:42 UTC