Re: PaySwarm and Trust Agility (was: PaySwarm and illegal sales? CCN) from Dave Longley on 2011-08-27 (public-webpayments@w3.org from August 2011)

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Sat, 27 Aug 2011 18:24:20 -0400
To: public-webpayments@w3.org
Message-ID: <4E596E94.5030104@digitalbazaar.com>

On 08/27/2011 02:17 PM, Manu Sporny wrote:
> On 8/20/11 9:02 PM, Steven Rowat wrote:
>> However, your architecture of PaySwarm Authorities, in which there
>> are competing authorities that the user chooses among, much like,
>> say, a "Certified Organic" label from different certifying
>> organizations, might work well, possibly better. To maintain the
>> analogy: there's also a U.S. Federal single "organic" definition, but
>> that lends itself to pressure and interference from large
>> corporations, so sometimes the smaller more independent "Certified
>> Organic" labels indicate superior products.
>
> Yes, this along the current line of thinking we have at Digital 
> Bazaar. Ultimately, it is up to the website giving you access based on 
> a Certificate of Authenticity to figure out if it trusts the person 
> that digitally signed your Certificate of Authenticity.
>
> We could depend on the Certificate Authorities that are out there 
> today to provide digital signatures as a boot strap mechanism. We may 
> want to bootstrap /toward/ Trust Agility, but take advantage of the 
> current setup to take us there:
>
> http://blog.thoughtcrime.org/ssl-and-the-future-of-authenticity
>
> For example, if an asset is listed here:
>
> https://www.foofighters.com/songs/walk#asset
> https://www.foofighters.com/songs/walk#listing
>
> The digital signature for the Asset and Listing could be generated by 
> the same private key that is used to establish the authenticity of the 
> website.

Using the same key isn't even necessary when extending the Web Of Trust. 
Instead, if the site's SSL certificate is trusted, that trust could be 
extended to trust digital signatures that can be verified by public keys 
listed on that same site (for instance: 
https://www.foofighters.com/keys#public-key-1). The ownership of those 
keys by the identity that signed the Asset and Listing could be 
confirmed by dereferencing the IRI of the identity (also on the same 
site). This is similar to how WebID works.

-- 
Dave Longley
CTO
Digital Bazaar, Inc.

Received on Saturday, 27 August 2011 22:24:45 UTC