Re: SSL and the Future of Authenticity from Manu Sporny on 2011-10-05 (public-webpayments@w3.org from October 2011)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 05 Oct 2011 14:21:23 -0400
To: public-webpayments@w3.org
Message-ID: <4E8CA023.4030607@digitalbazaar.com>

On 10/05/11 10:51, Kingsley Idehen wrote:
>> http://convergence.io/
> 
> How does that differ from WebID's authentication protocol? Remember
> the goal here isn't just "Trust" but "Dexterous Trust".

WebID establishes trust by doing the following:

1. Publishing a public key somewhere on the Web.
2. Digitally signing a request to the verification agent using the
   private key and including a public key URL download location.
3. The verifier then retrieves the public key and checks the signature,
   if the signature works, the client is who they say they are.

Convergence establishes trust by doing the following:

1. Requesting the peer's certificate.
2. Asking X Notaries that you trust to request the peer's certificate.
3. If all of the certificates match, you can trust that the remote
   peer's certificate is the site.

Both approaches:

1. Allow you to create and publish your own certificates/public keys.
2. Enable Trust Agility - you choose who you trust.
3. Are decentralized/distributed in nature.

WebID is better because:

1. It doesn't require both parties to run public IP addresses for
   two-way validation.
2. It may work better in closed networks.
3. You can attach far more information to your certificate than
   just the basic data a certificate provides today.

Convergence is better because:

1. It is fully backwards compatible with all existing deployed
   certificates. No change to the certificates that people are using
   is required.
2. It is more extensible, using multi-factor authentication of
   certificates.

> How does this solution handle a thief in possession of my Private
> Key?

In both cases, you just create a new certificate. That is:

For WebID: You delete your old key-pair from your public WebID URL. You
generate a new key-pair and publish it to your public WebID URL. You
generate a new certificate with the new key-pair and use that.

For Convergence: You delete your old certificate and create a new one
that is published through your Web server.

I don't think the two solutions are really in the same space.

WebID is a solution for identity on the Web.

Convergence is a solution for removing the need for Certificate
Authorities on the Web and preventing MITM attacks.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
President/CEO - Digital Bazaar, Inc.
Standardizing Payment Links
http://manu.sporny.org/2011/payment-links/

Received on Wednesday, 5 October 2011 18:21:48 UTC