- From: Reto Bachmann-Gmuer <reto.bachmann@trialox.org>
- Date: Wed, 23 Feb 2011 13:33:25 +0100
- To: Henry Story <henry.story@bblfish.net>
- Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
- Message-ID: <AANLkTin8Sj52YQnuJpGh1AyMNGhRVVsNvjwTD7BG3JXc@mail.gmail.com>
On Wed, Feb 23, 2011 at 12:28 PM, Henry Story <henry.story@bblfish.net>wrote: > we should address this chicken and egg problem. > > > I am not sure if the chicken and egg problem has found a solution yet. > There are claims going both ways :-) And we can continue enjoying eggs in > the meantime. > The PGP-Wot approach is key-signing parties. I think the approach of WebId should be growing trust with increasing interaction over increasingly secure channels, without requiring a document to be shown (which the usual form of identity proof at key-signing parties) as what matters is not your passport of your DNA but your social identity within the networks in the physical world and on the web. There seems to be a misunderstanding: As often no more security than the one > offered by email authentication is needed it is a feature of WebId to offer > something at this level. WebId works also with insecure profile documents > which roughly offers the same security as email verification (email can be > more and maybe even less secure but that's not the point). > > > yes, WebID over unprotected connection is not secure. We leave it there to > get things going. But when seriously discussing WebID we should be assuming > TLS on both sides. > I disagree. We should discuss different levels of security and how higher security can evolve. As the fact that email-verification is so widespread shows, that this low degree of security is often regarded as safe enough for the purpose at hand. > Here I'm referring to the transitive trust features PGP WOT bases on (not > to anything relating to emails). The discussion on signing (parts of) > profile documents could allow transitive trust features. In the example in > http://www.w3.org/wiki/File:X509CertsAndSocialGraph.jpg you may trust jane > because you know Bruno and Bruno knows Jane but this doesn't give you a > reason to believe that XYZ is in fact the public key of Jane. > > The trust relation the image describes may be important for assigning > rights to Jane, the trust path I'm talking about (and which is implemented > pretty well in PGP) is necessary for authentication. > > > If he links to Jane referentially, and you get those keys that way, then > why would you not have *a* reason to believe that is her key? > The fact that Bruno points to https://jane.name/#j is Irrelevant for the association between <https://jane.name/#j> and XYZ. To trust this association I have to trust the holder and the signer of the server certificate for jane.name. > You may worry that she puts it on an untrusted host? Well then what of a > PGP owner who puts his private key on a virus infected computer? Again there > is no absolute. One has to look for coherence. > Right, the incoherence is showing the lack of security of CA-based traditional PKI and offer an improvement for client certs while relying solely on the traditional PKI for the trust into the WebId-Key association. > The danger of trying to go for military grade security, is that it ends up > costing a fortune, and is rarely used - like military grade secure > computers. So if we can build something that enables that without requiring > that, then one can get adoption and build use cases of increasing security > needs. > We are talking about building a technologies that support various degrees of security. Supporting the same level of security as PGP doesn't seem an exaggerated requirement to me. As you correctly describe, there is no absolute security, but there is a level of which we can realistically believe that it can assure private and secure communication even under conditions that would otherwise be a serious threat to freedom of communication. With WebId the degree of trust that the communication partner is who is claim to be should be solely a function of the of trust (both in their honesty and technical security) into the referring parties under condition that: - you are in full control of the signals you receive and that you emit - you are able to keep some secret key safe - you're able to correctly apply encryption algorithm - the applied encryption algorithms are safe I think we shouldn't try to cover situations where the attacker can invisibly walk through walls and play around with what's in our minds. Reto
Received on Wednesday, 23 February 2011 12:33:59 UTC