Re: SSL and the Future of Authenticity from Kingsley Idehen on 2011-10-05 (public-webpayments@w3.org from October 2011)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 05 Oct 2011 17:23:49 -0400
To: public-webpayments@w3.org
Message-ID: <4E8CCAE5.7010404@openlinksw.com>

On 10/5/11 2:21 PM, Manu Sporny wrote:
> On 10/05/11 10:51, Kingsley Idehen wrote:
>>> http://convergence.io/
>> How does that differ from WebID's authentication protocol? Remember
>> the goal here isn't just "Trust" but "Dexterous Trust".
> WebID establishes trust by doing the following:
>
> 1. Publishing a public key somewhere on the Web.
> 2. Digitally signing a request to the verification agent using the
>     private key and including a public key URL download location.
> 3. The verifier then retrieves the public key and checks the signature,
>     if the signature works, the client is who they say they are.
>
> Convergence establishes trust by doing the following:
>
> 1. Requesting the peer's certificate.
> 2. Asking X Notaries that you trust to request the peer's certificate.
> 3. If all of the certificates match, you can trust that the remote
>     peer's certificate is the site.
>
> Both approaches:
>
> 1. Allow you to create and publish your own certificates/public keys.
> 2. Enable Trust Agility - you choose who you trust.
> 3. Are decentralized/distributed in nature.
>
> WebID is better because:
>
> 1. It doesn't require both parties to run public IP addresses for
>     two-way validation.
> 2. It may work better in closed networks.
> 3. You can attach far more information to your certificate than
>     just the basic data a certificate provides today.
>
> Convergence is better because:
>
> 1. It is fully backwards compatible with all existing deployed
>     certificates. No change to the certificates that people are using
>     is required.
> 2. It is more extensible, using multi-factor authentication of
>     certificates.

That's subject to WebID implementation. Our implementation works with 
existing certificates too.
We also have N-factors re. identity verification. Our WebID innovation 
that others can implement, so I would tag that any of the above as WebID 
disadvantages, that's more to do with WebID implementations.

>> How does this solution handle a thief in possession of my Private
>> Key?
> In both cases, you just create a new certificate. That is:
>
> For WebID: You delete your old key-pair from your public WebID URL. You
> generate a new key-pair and publish it to your public WebID URL. You
> generate a new certificate with the new key-pair and use that.

Yes.
> For Convergence: You delete your old certificate and create a new one
> that is published through your Web server.
But what about when you don't have Web Server access? Re. WebID you 
publish to a Data Space, you don't need to be the Web Server admin.

> I don't think the two solutions are really in the same space.
>
> WebID is a solution for identity on the Web.

WebID enables verifiable identity.
> Convergence is a solution for removing the need for Certificate
> Authorities on the Web and preventing MITM attacks.

WebID enables that too, and some :-)
> -- manu
>


-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wednesday, 5 October 2011 21:24:23 UTC