- From: Peter Williams <home_pw@msn.com>
- Date: Fri, 14 Jun 2013 16:14:56 +0000
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- CC: public-webid Group <public-webid@w3.org>, Henry Story <henry.story@bblfish.net>, "foaf-protocols@lists.foaf-project.org" <foaf-protocols@lists.foaf-project.org>
- Message-ID: <SNT402-EAS370CD405B0BAF62734811DF92800@phx.gbl>
So now turn the tables (though expect to be higher up the targeting list, if you do). Remember the Chartists protesting on London Common in the “liberal” late 1800s got sliced up by the swords of the Kings guards, for a lot less. The little UK Olympic theatre of showing how important the UK was to the emancipation of women selectively omitted the bloody parts. What tracking requires is subversion of the public trust (while defining and enacting the secret interpretation of the “actual”public trust model). I was unable to convey this before now, since folks were not able to listen. Now you are. You know there are JUST NO LIMITS to this issue (spying is like a addictive drug -all consuming in the end). There is just nothing that is not a legitimate target for subversion. Now the algorithms used in tracking are well known - being weighted graphs and the complexity of algorithms tht process such graphs in one manner or another. All the 1920s techniques of heisenburg group theory, probability spaces, phase spaces, configuration spaces of huge dimensional vector spaces are the food blocks out of which the diet is designed. Confidence is the final target (is the smeared-out particle probably in this demarcated volume of probability space). So, a security model FOR METADATA has to attack confidence building, or limit the value of an analysts assignment of a confidence rating, or attack the reliability of the foundations of the trust system that makes a confidence rating have any persuasive power. Knowing Kingsley, he will be on the right track. Sent from Windows Mail From: Melvin Carvalho Sent: Friday, June 14, 2013 9:13 AM To: Peter Williams Cc: public-webid Group, Henry Story, foaf-protocols@lists.foaf-project.org On 14 June 2013 17:42, Peter Williams <home_pw@msn.com> wrote: that's a big change - doing away with the notion that https (because its ubiquitous ) had/has some mystical privacy-enhancing power; or that certs in x.509 or jwt form have some special properties. Folks now know now generally that crypto solves nothing (if the trusted vendors are not so trustworthy as previously believed). Folks do now assume that AT ONE LEVEL OR ANOTHER technology subject to public policy (and that includes the web) is tracking you; and the crypto present in commodity-grade https does nothing to address that. IN fact, its there to facilitate and make it easier to accomplish. The more security engineering folks should have been taught that crypto is about the exact opposite - being actually all about (security policy) accountability. I.e. track that document number, track that distribution list, track that set of edits, and track those changes in security markings (every 10 years...). Its there to impose “double entry” bookkeeping, for a distributed set of books. I have seen three security model and philosophies applied to FOAF: i) PGP-ish key distribution that actually used the metadata-approach to design, ii) the DARPA-sponsored use of SPARQL-like queries to define remote operation protocols, iii) webid, and its early attempt to bridge the 2 2 worlds of information queries and data protocols while not straying from the assumptions of REST - that defines how the web world is supposed to build such bridges. is obscurity number four? is his the return of the world of personal codebooks, semantic and semiotic countermeasures? This is likely to be more successful than pitching a defense based on using machines to guard against machine attack. As always security scheme design is about designing for the complexity of decoding. So design encoders that force use of (time-) expensive decoders. In that window of complexity, you have a security measure (the time it takes to decode). Your security model has to be based on the military notion that: I want it secret for X time (after which the metadata has little value, anyways). +1 happy that you grokked the importance of this -- it took us a while to get there, but modularity is a cornerstone of web design :) Sent from Windows Mail From: Melvin Carvalho Sent: Friday, June 14, 2013 8:40 AM To: Peter Williams Cc: public-webid Group, Henry Story, foaf-protocols@lists.foaf-project.org On 14 June 2013 17:20, Peter Williams <home_pw@msn.com> wrote: When it was written, the public didn't know the meaning of the term metadata. Now they do - educated by means of showing privacy vulnerabilities specific to a web “founded on” insecure metadata. And they have a good intuition of specifically -”social” class of threat models specific to metadata. They also have a mental model of how vendors, contractors and security professionals may be part of the threat (to personal privacy invasion); willingly or otherwise. For a specifically social trust protocol the change in the public’s perceptions and education level on the threats they face does changes the (scope of the) problem. The freedom box is now perceived to be not so free (depending on context); and may be actually rather worthless, unless you count the “feel good” factor. How does WebID - in its updated philosophy - address the newly revealed threat of specifically institutional snooping? WebID is no longer tied to X.509 certs, it's just a linked data identifer. This is useful for discovery, friending, annotation and a whole host of other things, one of which is auth. WebID+TLS is an X.509 based method to use RSA keys to authenticate over TLS. WebID+WebKeys is a method to use any kind of key to authenticate over any protocol including javascript/websockets. WebID Simple (proposed) is a way to identify and authenticate via security by obscurity You can add many more auth systems onto this list, as you come up with them. If I look back at the concept of the VeriSign cert in netscape-grade https, it was specifically intended (by VISA) to be a feel good security technology, note, no ifs, no buts, no caveats. It was to change nothing (but make you feel good about the new internet threats that came into the concept set of the general public, circa 1994). Sent from Windows Mail From: Henry Story Sent: Friday, June 14, 2013 2:36 AM To: public-webid Group Cc: foaf-protocols@lists.foaf-project.org On 13 Jun 2013, at 22:31, Henry Story <henry.story@bblfish.net> wrote: > Yes, we have two specs: > > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html > https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html > > I am not sure why we don't get the full html view anymore. > Anyone know what we need to change? I fixed these. The problem is related to the move to the new respec.js https://github.com/darobin/respec/ It no longer allows one to add spec refs to the js as one used to be able to see diff https://dvcs.w3.org/hg/WebID/rev/7f01174c75b0 So the TLS spec now is missing two references [[ berjon.biblio["RFC5746"] = "E. Rescorla, M. Ray, S. Dispensa, N. Oskov, <a href=\"http://tools.ietf.org/html/rfc5746\"><cite>Transport Layer Security (TLS) Renegotiation Indication Extension</cite></a> February 2010. Internet RFC 5246. URL: <a href=\"http://tools.ietf.org/html/rfc5746\">http://tools.ietf.org/html/rfc5746</a> "; berjon.biblio["WEBID"] = "Andrei Sambra, Stéphane Corlosquet. <a href='https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html' ]] Any idea how one can get those added to the code using the new specref? https://github.com/tobie/specref > > We split the identity part from the TLS part, and we have a definition > of WebID that is simple and implementable. Also a bit of philosophical > > We should be close to a new release. All we need is one document > to describe the other two docs. And perhaps a few tweaks.... > > Henry > > Begin forwarded message: > >> From: Dan Brickley <danbri@danbri.org> >> Subject: [foaf-protocols] WebID status recap? >> Date: 13 June 2013 21:39:26 CEST >> To: foaf-protocols@lists.foaf-project.org >> >> It's mid-2013. Can someone share an overview of the current status of >> WebID aka foaf+ssl, in terms of implementations, adoption and >> documentation at W3C? >> >> Thanks, >> >> Dan >> _______________________________________________ >> foaf-protocols mailing list >> foaf-protocols@lists.foaf-project.org >> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols > > Social Web Architect > http://bblfish.net/ > Social Web Architect http://bblfish.net/ _______________________________________________ foaf-protocols mailing list foaf-protocols@lists.foaf-project.org http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
Received on Friday, 14 June 2013 16:26:43 UTC