Re: WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of Trust [research] from Reto Bachmann-Gmuer on 2011-02-23 (public-xg-webid@w3.org from February 2011)

From: Reto Bachmann-Gmuer <reto.bachmann@trialox.org>
Date: Wed, 23 Feb 2011 11:07:02 +0100
To: Henry Story <henry.story@bblfish.net>
Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
Message-ID: <AANLkTikTXCORCLXT13iHHKxe9e-mwAkx+6Orj62Ngcym@mail.gmail.com>

On Tue, Feb 22, 2011 at 9:44 PM, Henry Story <henry.story@bblfish.net>wrote:

>
> On 21 Feb 2011, at 09:58, WebID Incubator Group Issue Tracker wrote:
>
> >
> > WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of
> Trust [research]
> >
> > http://www.w3.org/2005/Incubator/webid/track/issues/45
> >
> > Raised by: Reto Bachmann-Gmür
> > On product: research
> >
> > Compare what can be done and how easy it is using PGP-WOT vs. WebId
> technologies.
>
> Does this FAQ answer the question?
>
> http://www.w3.org/wiki/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F
>
No, I'm talking about an honest comparison, the above doesn't talka about
what the trust in the document retrieved dereferencing an URI bases on, we
should address this chicken and egg problem. Also the advantage to be able
to revoke trust should be weighted against the advantage of functioning even
if (large) parts of the network are down. I'm convinced that with the
technologies behind WebId we can do something that it is not only easier but
also as secure as PGP-WOT, but this requires filling some gaps on the
technological level.


> >
> > WebId offers easier weak security mechanism (replacement of email
> authentication),
>
> Here you are speaking of authentication. WebID  is stronger than e-mail
> authentication. E-mail hops over many intermediaries, usually without
> encryption and the message can be change on the way. In webid you have a
> secure connection
>
There seems to be a misunderstanding: As often no more security than the one
offered by email authentication is needed it is a feature of WebId to offer
something at this level. WebId works also with insecure profile documents
which roughly offers the same security as email verification (email can be
more and maybe even less secure but that's not the point).


> > can WebId also provide high degree of security with transitive trust
> features?
>
> So the issue here is one of trust. e-mail does not provide any trust, other
> than for large players like facebook, that can correlate the e-mail to
> social networks, and so use that information to work out a trust graph.
> WebId will benefit from some of the same network effects, though less
> centralised ones.
>
Here I'm referring to the transitive trust features PGP WOT bases on (not to
anything relating to emails). The discussion on signing (parts of) profile
documents could allow transitive trust features. In the example in
http://www.w3.org/wiki/File:X509CertsAndSocialGraph.jpg you may trust jane
because you know Bruno and Bruno knows Jane but this doesn't give you a
reason to believe that XYZ is in fact the public key of Jane. The trust
relation the image describes may be important for assigning rights to Jane,
the trust path I'm talking about (and which is implemented pretty well in
PGP) is necessary for authentication.

Reto

Received on Wednesday, 23 February 2011 10:07:35 UTC