Re: Signed WebID documents and trust wrt GPG Web of Trust from Henry Story on 2013-05-29 (public-webid@w3.org from May 2013)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 29 May 2013 09:29:09 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Olivier Berger <olivier.berger@telecom-sudparis.eu>, public-webid <public-webid@w3.org>
Message-Id: <8D7EC3B3-7E71-47CA-B350-520C9CC78867@bblfish.net>

On 29 May 2013, at 01:14, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

> 
> 
> 
> On 28 May 2013 11:14, Olivier Berger <olivier.berger@telecom-sudparis.eu> wrote:
> Hi.
> 
> In the discussion about the potential use of WebID + TLS as a mean to
> sign-in to Debian Web services/apps, we somehow came to the conclusion
> [0] that it could be used provided that we establish trust in WebIDs
> presented by users, only if they are signed with a GnuPG signature made
> by an existing Debian contributor, leveraging the existing Debian GnuPG
> Web of Trust [1].
> 
> This use of an existing GnuPG WoT, which is essentially distributed,
> fits well with many interesting aspects of WebID (under control of the
> user, etc.).
> 
> Wrt Linked Data, this is not exactly optimal : GPG signatures apply for
> documents and not triples, so the model is not as elegant as we'd want
> it ? I guess other signature mechanisms could be more Linked Data proof,
> and may make more sense wrt WebID and trust.
> 
> Has this topic of trust wrt WebID been discussed already ?
> 
> Manu Sporny, who wrote the original WebID+TLS spec,

Saying that he wrote the original WebID+TLS spec is pure fantasy. He helped host
the group for a while. The spec has it's origins way before Manu's intervention.
He never participated in the WebID Incubator group. 
As a result I have removed his name as a author from the latest spec drafts, 
given that he is in fact publically arguing against WebId. His name
remains in the contributors section though.

> put together another spec, WebKeys, to be used for encrypting and signing messages.  
> 
> https://payswarm.com/specs/source/web-keys/
> 
> Could this solve the problem?
> 
> I'm unsure what you want to sign, the webid itself, the webid profile page, or the triples associated with the agent ...
>  
> 
> I guess it could make an interesting use case anyway.
> 
> Any comments ?
> 
> Best regards,
> 
> [0] http://lists.debian.org/debian-devel/2013/05/msg01098.html
> [1] http://www.debian.org/doc/manuals/developers-reference/new-maintainer.html#registering
> --
> Olivier BERGER
> http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
> Ingenieur Recherche - Dept INF
> Institut Mines-Telecom, Telecom SudParis, Evry (France)
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/

Received on Wednesday, 29 May 2013 07:29:44 UTC