RE: WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of Trust [research]

It does need some more refinement.

I see a PGP wot qualifying the public key present in a foaf card.

If a resource server receives a self-signed cert during SSL client authn, obtains attributes from a (trustworthy) network source located using the subject's name, and determines that one attribute is the public key of the self-signed cert, then it may consult the PGP key ring.

If the public key is on the pgp key ring, the key ring will compute a confidence metric for that key given the context of intended usage and the intended audience (based on some logic specific to the PGP community). If the metric passes a threshold on some scale, the resource server relies on the evidences from the various parties and proceeds to access control (as is traditional in IBAC systems for 30+ years).

If you dont like PGP or its means of computing confidence metrics, one uses something equivalent for computing a metric, such as an OCSP responder located by a URI in the self-signed cert, or one uses cert chains and CRLDPs and delta CRLs.....  One can even use a foaf graph... or a facebook/twitter "following chain".

-----Original Message-----
From: [] On Behalf Of WebID Incubator Group Issue Tracker
Sent: Monday, February 21, 2011 12:58 AM
Subject: WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of Trust [research]

WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of Trust [research]

Raised by: Reto Bachmann-Gmür
On product: research

Compare what can be done and how easy it is using PGP-WOT vs. WebId technologies.

WebId offers easier weak security mechanism (replacement of email authentication), can WebId also provide high degree of security with transitive trust features?

Received on Monday, 21 February 2011 15:30:08 UTC