Re: WebID discussion in Debian from Melvin Carvalho on 2013-05-15 (public-webid@w3.org from May 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 15 May 2013 12:02:21 +0200
To: Jonas Smedegaard <dr@jones.dk>
Cc: public-webid <public-webid@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>, Henry Story <henry.story@bblfish.net>
Message-ID: <CAKaEYhKNwnsJpGB7ckLUSRLJHfWs02Ls4CFnmdkP18wDk3mAKQ@mail.gmail.com>
On 15 May 2013 11:20, Jonas Smedegaard <dr@jones.dk> wrote:

> [continuing list+private, as I seem still blocked from the list]
>
> Quoting Melvin Carvalho (2013-05-15 09:48:44)
> > Para (1) -- Russ is correct ... if your HTTP URI is not https you can
> > be impersonated via MITM.  The natural conclusion is to think that you
> > need a CA certificate.  But that's only on first call, and assumes you
> > dont have a normative key cached.  Every time you notice a key change
> > you should be suspicious (as with SSH) ... but this is not documented
> > in the spec, afaik.
>
> So would the below - which I think is more clear also for the
> anti-CA-cartel people in Debian - be correct?:
>
> Yes, avoid unencrypted HTTP (i.e. https or .onion or some other mean),
> but no need to trust CA for the server cert: Similar to SSH you can
> instead maintain your own list of trusted certs (e.g. using
> Monkeysphere).
>
> http://web.monkeysphere.info/
>

That's a nice way to put it yes.

Side note: I *purposefully* use http and run the risk of MITM because
there's not too much damage that can be done right now, and in the long
term we want solutions that do not require the CA cartel.  I would use
https currently for things like payments ontologies or identity providers
and just pay a CA.



>
> [a few understood and agreed upon remarks skipped]
>
> > Para (4) -- WebID is about distributed identity.  WebID+TLS (which is
> > actually +FOAF+RSA) is one authentication method layered on top of
> > WebID.  People almost always couple the two together, and I dont think
> > the community really emphasises the value proposition of the
> > modularity.  This goes back to the days when WebID was called FOAF+SSL
> > ... today FOAF isnt mentioned in the core WebID spec.
>
> Now you got even me confused (so no doubt have lost most of Debian!):
> I've heard about FOAF+SSL and WebID, but not FOAF+RSA or WebID+TLS.
>

So in TPAC 6 months ago we decided to split webid into two parts formally:

1. Webid -- Identity (for which there is a new spec)
2. WebID+TLS which is an authentication example.  Currently the WebID+TLS
spec actually has dependencies on FOAF and RSA keys ... so technically it
is more like WebID+TLS+FOAF+RSA

What we're going for is a clean separation of concerns with many possible
auth layers built on top of a solid identity system.


>
> If you mean to say that WebID is *not* tied to TLS, then perhaps it is
> better to point that out without adding _more_ new words.
>
> When Russ says "do we really need [...FOAF]" then he is most likely
> referring to our PGP-based Web of Trust (possibly the largest in the
> World!).
>

Side note:  The PGP strong set is about 40k?  FOAF is much bigger as a DNS
based WOT.  But facebook is biggest still.  Much depends on your
perspective.


>
> Is he essentially correct that a) WebID is about *both* authentication
> and distributed identity management, and that b) when we already have
> strong distributed identity management with our PGP WoT then WebID is
> arguably unnecessary bloat?
>

We try and separate these two concepts (identity and authentication) as
above, but it's a recent evolution so maybe not that well explained.

Id actually love to see the PGP WoT and the Web WoT be one big system.
WebID is primarily HTTP based with GET used as discovery.  PGP is primarily
email based (with keyservers for discovery?) and both have (generally RSA)
keys and some meta data.  GPG has the advantage of some great tools and
security, the web has the advantage of delivery to a wide audience.  Maybe
one day this dream will come true.  As of today, it would be really great
to find some common ground, leading to convergence, rather than the
either/or perspectives.


>
> Seems to me that you are not really (or only) addressing that point in
> your remark above.
>

I think I covered a few this (maybe too many!) to try and clarify the
current state of WebID


>
>
> > Quick Question: does debian have a CA, or is this a proposal?
>
> Debian uses [SPI] as CA.  SPI currently issue certs on their own but is
> considering moving to chained certs under some cartel member (StartCom,
> if I recall correctly).
>
> But this is not a discussion on "how do we handle our web certs".  It is
> a discussion on "how do we authenticate members of our community" and
> (some in) Debian is fundamentally sceptical to the CA cartel and the
> whole hierarchical trust structure of certs - even if being pragmatic
> towards the public and using such certs at public-facing services.
>

Sure, we're mostly skeptical too :)


>
>
> Please also read the follow-up by Daniel.
>
> Russ has been with Debian since forever, and is excellent at keeping
> separate own opinions from general views of the project.
>
> Daniel is slightly younger in Debian (about 10 years like myself, I
> think) and knows his way around crypto + can explain it in simple terms
> - he is involved in the development of Monkeysphere.
>

Yes I know daniel from freedombox, we had a similar conversation, and he's
helped me a few times on the GPG user's list.

In summary, technologies like GPG, WebID, DANE/DNSSEC, monkeysphere and
even FOAF have a lot in common in terms of the problems we're trying to
solve.  If somehow we can learn to work together (based on the URI for
email/http/key data) we could maybe build something really great.


>
>
>  - Jonas
>
>
> [SPI]: http://www.spi-inc.org/
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
>
Received on Wednesday, 15 May 2013 10:02:54 UTC