Re: Signed WebID documents and trust wrt GPG Web of Trust from Olivier Berger on 2013-05-29 (public-webid@w3.org from May 2013)

From: Olivier Berger <olivier.berger@telecom-sudparis.eu>
Date: Wed, 29 May 2013 17:03:56 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: public-webid <public-webid@w3.org>
Message-ID: <87ppw9x1yb.fsf@inf-8657.int-evry.fr>

Hi.

Melvin Carvalho <melvincarvalho@gmail.com> writes:

> On 28 May 2013 11:14, Olivier Berger <olivier.berger@telecom-sudparis.eu>wrote:
>
>> Hi.
>>
>> In the discussion about the potential use of WebID + TLS as a mean to
>> sign-in to Debian Web services/apps, we somehow came to the conclusion
>> [0] that it could be used provided that we establish trust in WebIDs
>> presented by users, only if they are signed with a GnuPG signature made
>> by an existing Debian contributor, leveraging the existing Debian GnuPG
>> Web of Trust [1].
>>
>> This use of an existing GnuPG WoT, which is essentially distributed,
>> fits well with many interesting aspects of WebID (under control of the
>> user, etc.).
>>
>> Wrt Linked Data, this is not exactly optimal : GPG signatures apply for
>> documents and not triples, so the model is not as elegant as we'd want
>> it ? I guess other signature mechanisms could be more Linked Data proof,
>> and may make more sense wrt WebID and trust.
>>
>> Has this topic of trust wrt WebID been discussed already ?
>>
>
> Manu Sporny, who wrote the original WebID+TLS spec, put together another
> spec, WebKeys, to be used for encrypting and signing messages.
>
> https://payswarm.com/specs/source/web-keys/
>
> Could this solve the problem?

This looks interesting, but I find it strange that neither GPG or GnuPG
terms seem to find a match in that document :-/

>
> I'm unsure what you want to sign, the webid itself, the webid profile page,
> or the triples associated with the agent ...

At the moment, the only easy to implement option, is the signing of the
whole FOAF/WebID profile page/document with an external GPG signature file, linked to
with a wot:assurance relation.

But I guess ultimately, only some specific triples might be signed,
which would avoid the need to regenerate the signature every time the
document changes. And only a specific set of attributes of a WebID may
need to be trusted by services, like the foaf:mbox which binds the WebID
and one of the GPG key's IDs.

Thanks for your feedback.

Best regards,
-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Received on Wednesday, 29 May 2013 15:04:30 UTC