- From: Reto Bachmann-Gmuer <reto.bachmann@trialox.org>
- Date: Wed, 23 Feb 2011 11:07:02 +0100
- To: Henry Story <henry.story@bblfish.net>
- Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
- Message-ID: <AANLkTikTXCORCLXT13iHHKxe9e-mwAkx+6Orj62Ngcym@mail.gmail.com>
On Tue, Feb 22, 2011 at 9:44 PM, Henry Story <henry.story@bblfish.net>wrote: > > On 21 Feb 2011, at 09:58, WebID Incubator Group Issue Tracker wrote: > > > > > WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of > Trust [research] > > > > http://www.w3.org/2005/Incubator/webid/track/issues/45 > > > > Raised by: Reto Bachmann-Gmür > > On product: research > > > > Compare what can be done and how easy it is using PGP-WOT vs. WebId > technologies. > > Does this FAQ answer the question? > > http://www.w3.org/wiki/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F > No, I'm talking about an honest comparison, the above doesn't talka about what the trust in the document retrieved dereferencing an URI bases on, we should address this chicken and egg problem. Also the advantage to be able to revoke trust should be weighted against the advantage of functioning even if (large) parts of the network are down. I'm convinced that with the technologies behind WebId we can do something that it is not only easier but also as secure as PGP-WOT, but this requires filling some gaps on the technological level. > > > > WebId offers easier weak security mechanism (replacement of email > authentication), > > Here you are speaking of authentication. WebID is stronger than e-mail > authentication. E-mail hops over many intermediaries, usually without > encryption and the message can be change on the way. In webid you have a > secure connection > There seems to be a misunderstanding: As often no more security than the one offered by email authentication is needed it is a feature of WebId to offer something at this level. WebId works also with insecure profile documents which roughly offers the same security as email verification (email can be more and maybe even less secure but that's not the point). > > can WebId also provide high degree of security with transitive trust > features? > > So the issue here is one of trust. e-mail does not provide any trust, other > than for large players like facebook, that can correlate the e-mail to > social networks, and so use that information to work out a trust graph. > WebId will benefit from some of the same network effects, though less > centralised ones. > Here I'm referring to the transitive trust features PGP WOT bases on (not to anything relating to emails). The discussion on signing (parts of) profile documents could allow transitive trust features. In the example in http://www.w3.org/wiki/File:X509CertsAndSocialGraph.jpg you may trust jane because you know Bruno and Bruno knows Jane but this doesn't give you a reason to believe that XYZ is in fact the public key of Jane. The trust relation the image describes may be important for assigning rights to Jane, the trust path I'm talking about (and which is implemented pretty well in PGP) is necessary for authentication. Reto
Received on Wednesday, 23 February 2011 10:07:35 UTC