Re: WebID discussion in Debian from Melvin Carvalho on 2013-05-15 (public-webid@w3.org from May 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 15 May 2013 12:13:56 +0200
To: Henry Story <henry.story@bblfish.net>
Cc: Jonas Smedegaard <dr@jones.dk>, public-webid <public-webid@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>
Message-ID: <CAKaEYhKsEA7RBWZ_5SM_kwL78xYYwkHybk2Kg50py9fCf6VKmw@mail.gmail.com>
On 15 May 2013 12:11, Henry Story <henry.story@bblfish.net> wrote:

>
> On 15 May 2013, at 12:02, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
>
>
>
> On 15 May 2013 11:20, Jonas Smedegaard <dr@jones.dk> wrote:
>
>> [continuing list+private, as I seem still blocked from the list]
>>
>> Quoting Melvin Carvalho (2013-05-15 09:48:44)
>> > Para (1) -- Russ is correct ... if your HTTP URI is not https you can
>> > be impersonated via MITM.  The natural conclusion is to think that you
>> > need a CA certificate.  But that's only on first call, and assumes you
>> > dont have a normative key cached.  Every time you notice a key change
>> > you should be suspicious (as with SSH) ... but this is not documented
>> > in the spec, afaik.
>>
>> So would the below - which I think is more clear also for the
>> anti-CA-cartel people in Debian - be correct?:
>>
>> Yes, avoid unencrypted HTTP (i.e. https or .onion or some other mean),
>> but no need to trust CA for the server cert: Similar to SSH you can
>> instead maintain your own list of trusted certs (e.g. using
>> Monkeysphere).
>>
>> http://web.monkeysphere.info/
>>
>
> That's a nice way to put it yes.
>
> Side note: I *purposefully* use http and run the risk of MITM because
> there's not too much damage that can be done right now, and in the long
> term we want solutions that do not require the CA cartel.  I would use
> https currently for things like payments ontologies or identity providers
> and just pay a CA.
>
>
>
>>
>> [a few understood and agreed upon remarks skipped]
>>
>> > Para (4) -- WebID is about distributed identity.  WebID+TLS (which is
>> > actually +FOAF+RSA) is one authentication method layered on top of
>> > WebID.  People almost always couple the two together, and I dont think
>> > the community really emphasises the value proposition of the
>> > modularity.  This goes back to the days when WebID was called FOAF+SSL
>> > ... today FOAF isnt mentioned in the core WebID spec.
>>
>> Now you got even me confused (so no doubt have lost most of Debian!):
>> I've heard about FOAF+SSL and WebID, but not FOAF+RSA or WebID+TLS.
>>
>
> So in TPAC 6 months ago we decided to split webid into two parts formally:
>
> 1. Webid -- Identity (for which there is a new spec)
> 2. WebID+TLS which is an authentication example.  Currently the WebID+TLS
> spec actually has dependencies on FOAF and RSA keys ... so technically it
> is more like WebID+TLS+FOAF+RSA
>
>
> It helps to add links to the specs when mentioning these:
>     https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
>     https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html
>
> btw the link from from the current spec that points to the latest version
> points here:
>    https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index-respec.html
>
> It currently redirects after a few seconds to the tls-respec. Could
> someone
> make a very nice version of that page so that it does not redirect but
> just points
> to both specs with a short summary?  That would be very nice.
>

Would it perhaps be an idea to put this on webid.info ?


>
>
> What we're going for is a clean separation of concerns with many possible
> auth layers built on top of a solid identity system.
>
>
>>
>> If you mean to say that WebID is *not* tied to TLS, then perhaps it is
>> better to point that out without adding _more_ new words.
>>
>> When Russ says "do we really need [...FOAF]" then he is most likely
>> referring to our PGP-based Web of Trust (possibly the largest in the
>> World!).
>>
>
> Side note:  The PGP strong set is about 40k?  FOAF is much bigger as a DNS
> based WOT.  But facebook is biggest still.  Much depends on your
> perspective.
>
>
>>
>> Is he essentially correct that a) WebID is about *both* authentication
>> and distributed identity management, and that b) when we already have
>> strong distributed identity management with our PGP WoT then WebID is
>> arguably unnecessary bloat?
>>
>
> We try and separate these two concepts (identity and authentication) as
> above, but it's a recent evolution so maybe not that well explained.
>
> Id actually love to see the PGP WoT and the Web WoT be one big system.
> WebID is primarily HTTP based with GET used as discovery.  PGP is primarily
> email based (with keyservers for discovery?) and both have (generally RSA)
> keys and some meta data.  GPG has the advantage of some great tools and
> security, the web has the advantage of delivery to a wide audience.  Maybe
> one day this dream will come true.  As of today, it would be really great
> to find some common ground, leading to convergence, rather than the
> either/or perspectives.
>
>
>>
>> Seems to me that you are not really (or only) addressing that point in
>> your remark above.
>>
>
> I think I covered a few this (maybe too many!) to try and clarify the
> current state of WebID
>
>
>>
>>
>> > Quick Question: does debian have a CA, or is this a proposal?
>>
>> Debian uses [SPI] as CA.  SPI currently issue certs on their own but is
>> considering moving to chained certs under some cartel member (StartCom,
>> if I recall correctly).
>>
>> But this is not a discussion on "how do we handle our web certs".  It is
>> a discussion on "how do we authenticate members of our community" and
>> (some in) Debian is fundamentally sceptical to the CA cartel and the
>> whole hierarchical trust structure of certs - even if being pragmatic
>> towards the public and using such certs at public-facing services.
>>
>
> Sure, we're mostly skeptical too :)
>
>
>>
>>
>> Please also read the follow-up by Daniel.
>>
>> Russ has been with Debian since forever, and is excellent at keeping
>> separate own opinions from general views of the project.
>>
>> Daniel is slightly younger in Debian (about 10 years like myself, I
>> think) and knows his way around crypto + can explain it in simple terms
>> - he is involved in the development of Monkeysphere.
>>
>
> Yes I know daniel from freedombox, we had a similar conversation, and he's
> helped me a few times on the GPG user's list.
>
> In summary, technologies like GPG, WebID, DANE/DNSSEC, monkeysphere and
> even FOAF have a lot in common in terms of the problems we're trying to
> solve.  If somehow we can learn to work together (based on the URI for
> email/http/key data) we could maybe build something really great.
>
>
>>
>>
>>  - Jonas
>>
>>
>> [SPI]: http://www.spi-inc.org/
>>
>> --
>>  * Jonas Smedegaard - idealist & Internet-arkitekt
>>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>>
>>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
>>
>
>
> Social Web Architect
> http://bblfish.net/
>
>
Received on Wednesday, 15 May 2013 10:14:24 UTC