W3C home > Mailing lists > Public > public-webpayments@w3.org > October 2011

Re: SSL and the Future of Authenticity

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 05 Oct 2011 17:23:49 -0400
Message-ID: <4E8CCAE5.7010404@openlinksw.com>
To: public-webpayments@w3.org
On 10/5/11 2:21 PM, Manu Sporny wrote:
> On 10/05/11 10:51, Kingsley Idehen wrote:
>>> http://convergence.io/
>> How does that differ from WebID's authentication protocol? Remember
>> the goal here isn't just "Trust" but "Dexterous Trust".
> WebID establishes trust by doing the following:
> 1. Publishing a public key somewhere on the Web.
> 2. Digitally signing a request to the verification agent using the
>     private key and including a public key URL download location.
> 3. The verifier then retrieves the public key and checks the signature,
>     if the signature works, the client is who they say they are.
> Convergence establishes trust by doing the following:
> 1. Requesting the peer's certificate.
> 2. Asking X Notaries that you trust to request the peer's certificate.
> 3. If all of the certificates match, you can trust that the remote
>     peer's certificate is the site.
> Both approaches:
> 1. Allow you to create and publish your own certificates/public keys.
> 2. Enable Trust Agility - you choose who you trust.
> 3. Are decentralized/distributed in nature.
> WebID is better because:
> 1. It doesn't require both parties to run public IP addresses for
>     two-way validation.
> 2. It may work better in closed networks.
> 3. You can attach far more information to your certificate than
>     just the basic data a certificate provides today.
> Convergence is better because:
> 1. It is fully backwards compatible with all existing deployed
>     certificates. No change to the certificates that people are using
>     is required.
> 2. It is more extensible, using multi-factor authentication of
>     certificates.

That's subject to WebID implementation. Our implementation works with 
existing certificates too.
We also have N-factors re. identity verification. Our WebID innovation 
that others can implement, so I would tag that any of the above as WebID 
disadvantages, that's more to do with WebID implementations.

>> How does this solution handle a thief in possession of my Private
>> Key?
> In both cases, you just create a new certificate. That is:
> For WebID: You delete your old key-pair from your public WebID URL. You
> generate a new key-pair and publish it to your public WebID URL. You
> generate a new certificate with the new key-pair and use that.

> For Convergence: You delete your old certificate and create a new one
> that is published through your Web server.
But what about when you don't have Web Server access? Re. WebID you 
publish to a Data Space, you don't need to be the Web Server admin.

> I don't think the two solutions are really in the same space.
> WebID is a solution for identity on the Web.

WebID enables verifiable identity.
> Convergence is a solution for removing the need for Certificate
> Authorities on the Web and preventing MITM attacks.

WebID enables that too, and some :-)
> -- manu



Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen

Received on Wednesday, 5 October 2011 21:24:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:19 UTC