Re: WebID discussion in Debian

On 16 May 2013 04:04, Jonas Smedegaard <dr@jones.dk> wrote:

> [ yeah - seems my mails are finally allowed at the list :-D ]
>
> Quoting Melvin Carvalho (2013-05-15 12:02:21)
>
> > So in TPAC 6 months ago we decided to split webid into two parts
> formally:
> >
> > 1. Webid -- Identity (for which there is a new spec)
> > 2. WebID+TLS which is an authentication example.  Currently the
> WebID+TLS spec
> > actually has dependencies on FOAF and RSA keys ... so technically it is
> more
> > like WebID+TLS+FOAF+RSA
> >
> > What we're going for is a clean separation of concerns with many
> > possible auth layers built on top of a solid identity system.
>
> Sounds good to define and document identity and authentication
> separately. Unfortunately that work is only in draft from which
> explicitly discourages promotion :-/
>
> BTW https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html
> has a typo: "Tim Bernsers Lee".
>
>
>
> > On 15 May 2013 11:20, Jonas Smedegaard <dr@jones.dk> wrote:
> >> When Russ says "do we really need [...FOAF]" then he is most likely
> >> referring to our PGP-based Web of Trust (possibly the largest in the
> >> World!).
> >
> > Side note:  The PGP strong set is about 40k?  FOAF is much bigger as a
> > DNS based WOT.  But facebook is biggest still.  Much depends on your
> > perspective.
>
> I meant possibly largest *PGP-based* WoT.  I did not mean to start a
> pissing contest :-P
>
>
>
> >> Is he essentially correct that a) WebID is about *both*
> >> authentication and distributed identity management, and that b) when
> >> we already have strong distributed identity management with our PGP
> >> WoT then WebID is arguably unnecessary bloat?
> >
> > We try and separate these two concepts (identity and authentication)
> > as above, but it's a recent evolution so maybe not that well
> > explained.
> >
> > Id actually love to see the PGP WoT and the Web WoT be one big
> > system.  WebID is primarily HTTP based with GET used as discovery.
> > PGP is primarily email based (with keyservers for discovery?) and both
> > have (generally RSA) keys and some meta data.  GPG has the advantage
> > of some great tools and security, the web has the advantage of
> > delivery to a wide audience.  Maybe one day this dream will come
> > true.  As of today, it would be really great to find some common
> > ground, leading to convergence, rather than the either/or
> > perspectives.
>
> Uhm, I missed your answer to the question.
>
> We share that dream, you and I.  Challenge here is not the dream, but
> how relevant that dream is for our friends that are not dreaming that
> same dream.
>
> Debian already has PGP-based WoT.  So question remains: how is WebID
> relevant for *Debian*?
>
>
OK I've read through the whole thread now.  It wasnt that long! :)

Background
==========

Using X.509 certificates for login to a webpage would work well, but people
often complain about the usability of X.509.  You can increasingly deploy
keys in a browser without X.509 certs, but this will come in to its own
next year when crypto in the browser becomes a REC.

I actually use the SAME key for GPG as I do in my X.509 certificate.  The
server will be able to validate the pubic key, but then what next?  If your
public key is somehow able to be looked up (what we call an inverse
functional property) and approved, you dont really need to do any more.

If the key exists in isolation, you can provide another hint in the
certificate showing your identity.  This can be in the form of any URI.
Good candidates are URIs that represent A) an email address so that you can
then go to, or example, a keyserver (mailto:)  B) a key fingerprint which
can be looked up (di:) C) your profile page (http:/https:)

Note: you need not dereference in all cases, as caching is often employed.
Dereferencing occurs the minority of the time when a key is new or has
changed.

My Thoughts
===========

It's possible to get by with (A) and (C) could indeed be considered
unnecessary bloat.  However it's often the case that a good protocol allows
choice.  It's much harder to follow your nose with email to find, for
example, a user's name, avatar, projects, keys etc.  With the web it's as
easy as adding the "property" tag to add key/values to your HTML, so the
web flavour provides not only auth but extensibility and unexpected reuse.

So I would think that an ideal *initial* solution would be to take a GPG
key and translate it into an X.509 cert (I have code for this).  If the
server understands the key, you're done.  If not, add hints in the
subjectAlternativeName field as preferred, the WebID community would be
happy if at some point, HTTP URIs were allowed as a valid option, as this
would tie in the the web of trust we are already building and to an extent
help to unite efforts.

I'm very interested to see if monkeyspehre is working on a solution of this
kind.


>
>
>
> >> Please also read the follow-up by Daniel.
> >>
> >> Russ has been with Debian since forever, and is excellent at keeping
> >> separate own opinions from general views of the project.
> >>
> >> Daniel is slightly younger in Debian (about 10 years like myself, I
> >> think) and knows his way around crypto + can explain it in simple
> >> terms - he is involved in the development of Monkeysphere.
> >
> > Yes I know daniel from freedombox, we had a similar conversation, and
> > he's helped me a few times on the GPG user's list.
>
> Yup. Perhaps you noticed that the email thread that I referred to in my
> initial post here links back to that very conversation you had with
> Daniel at the FreedomBox list.  I was happy you got involved there!
>
> My remark above was for others here who might not know Daniel and Russ
> that well. :-)
>
>
> > In summary, technologies like GPG, WebID, DANE/DNSSEC, monkeysphere
> > and even FOAF have a lot in common in terms of the problems we're
> > trying to solve.  If somehow we can learn to work together (based on
> > the URI for email/http/key data) we could maybe build something really
> > great.
>
> Fully agree.
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
>
>