Re: WebID discussion in Debian from Jonas Smedegaard on 2013-05-15 (public-webid@w3.org from May 2013)

From: Jonas Smedegaard <dr@jones.dk>
Date: Wed, 15 May 2013 11:20:38 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>,
Cc: public-webid <public-webid@w3.org>, Kingsley Idehen <kidehen@openlinksw.com>, Henry Story <henry.story@bblfish.net>
Message-ID: <20130515092038.23166.31572@bastian.jones.dk>

[continuing list+private, as I seem still blocked from the list]

Quoting Melvin Carvalho (2013-05-15 09:48:44)
> Para (1) -- Russ is correct ... if your HTTP URI is not https you can 
> be impersonated via MITM.  The natural conclusion is to think that you 
> need a CA certificate.  But that's only on first call, and assumes you 
> dont have a normative key cached.  Every time you notice a key change 
> you should be suspicious (as with SSH) ... but this is not documented 
> in the spec, afaik.

So would the below - which I think is more clear also for the 
anti-CA-cartel people in Debian - be correct?:

Yes, avoid unencrypted HTTP (i.e. https or .onion or some other mean), 
but no need to trust CA for the server cert: Similar to SSH you can 
instead maintain your own list of trusted certs (e.g. using 
Monkeysphere).

http://web.monkeysphere.info/

[a few understood and agreed upon remarks skipped]

> Para (4) -- WebID is about distributed identity.  WebID+TLS (which is 
> actually +FOAF+RSA) is one authentication method layered on top of 
> WebID.  People almost always couple the two together, and I dont think 
> the community really emphasises the value proposition of the 
> modularity.  This goes back to the days when WebID was called FOAF+SSL 
> ... today FOAF isnt mentioned in the core WebID spec.

Now you got even me confused (so no doubt have lost most of Debian!): 
I've heard about FOAF+SSL and WebID, but not FOAF+RSA or WebID+TLS.

If you mean to say that WebID is *not* tied to TLS, then perhaps it is 
better to point that out without adding _more_ new words.

When Russ says "do we really need [...FOAF]" then he is most likely 
referring to our PGP-based Web of Trust (possibly the largest in the 
World!).

Is he essentially correct that a) WebID is about *both* authentication 
and distributed identity management, and that b) when we already have 
strong distributed identity management with our PGP WoT then WebID is 
arguably unnecessary bloat?

Seems to me that you are not really (or only) addressing that point in 
your remark above.


> Quick Question: does debian have a CA, or is this a proposal?

Debian uses [SPI] as CA.  SPI currently issue certs on their own but is 
considering moving to chained certs under some cartel member (StartCom, 
if I recall correctly).

But this is not a discussion on "how do we handle our web certs".  It is 
a discussion on "how do we authenticate members of our community" and 
(some in) Debian is fundamentally sceptical to the CA cartel and the 
whole hierarchical trust structure of certs - even if being pragmatic 
towards the public and using such certs at public-facing services.


Please also read the follow-up by Daniel.

Russ has been with Debian since forever, and is excellent at keeping 
separate own opinions from general views of the project.

Daniel is slightly younger in Debian (about 10 years like myself, I 
think) and knows his way around crypto + can explain it in simple terms 
- he is involved in the development of Monkeysphere.


 - Jonas


[SPI]: http://www.spi-inc.org/

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Received on Wednesday, 15 May 2013 14:36:42 UTC