Re: World Wide Web of Trust

On 21 Dec 2011, at 11:19, Peter Williams wrote:

> > (Note also that that an RSA or DSA key used to create/encapsulated within a WebID certificate can also be expressed as a PGP key...)

> This is logically true. Any blob can be re-packaged and indexed in a unique repository, assumings it is public data with bears no copyright or other use controls. At higher assurance levels, its not a valid argument however.

Yes — obviously if you’re changing the content of a signed blob (whether it’s transforming it into a different internal representation or otherwise), you’re going to need the private key that was used to sign the original in order to sign the resulting blob — which is easy when you’re dealing with self-issued material (as you hold the key), and tending towards impossible when it‘s not (because you don’t).

> Remember, the web is a low assurnace environment, aiming at 80% quality, most of the time. Crypto has to fit, that goal set. It has to be able to be upgraded for the fewer cases that demand more, when using the same software. Thus, your windows box has to come from the retail store with one group of settings, assume that the user will then turn off all those damn-annoying security features, use some third party software that convers the cert into a pgp blob, and then ALSO be selectively upgraded when talking to certain sites (like banking) when protecting against poor design (that created the world of spam, porn virus, sip viruses, abd web phishing.)

Which is perhaps an argument for separating the 'identification' and 'assurance' — be that through something like InfoCard (dead as it is), some other kind of SAML-based thing (xml-enc issues notwithstanding), X.509 Attribute Certificates, or something else…


Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

Received on Wednesday, 21 December 2011 13:59:25 UTC