Re: slow down and organize

On Wed, Feb 23, 2011 at 7:17 PM, peter williams <> wrote:

> We cannot rearchitect internet security - and this seems the underlying
> goal. It's not realistic. The mail overload on now many topics should have
> shown that its not feasible - as there are 100+ topics more, yet. Effective
> commodity internet security requires dominance of 12+ disciplines at 80%
> competency - as 75,000 CISSP certified folks doing internet security every
> day know.

I think there are fundamental differences between "Internet Security" and
what WebId offers. Internet Security is mainly driven by the concerns of
corporation who want to have secure communication while using the cheap
internet infrastructure. For this legal identities have to be mapped to
cryptographic identities and security is ideally hidden away from the user
to the lower level protocols. The vision here is to have save citadels on an
insecure net. Where interaction with the rest of the world is necessary
https-sites combined with various form of client authentication (as people
seemed reluctant to just walk around with digital-id) should assure that the
customer's is (in terms of what the passport owned) who the company thinks
he is.

WebId is fundamentally different. It arises from the decentralized
architecture of the web, where nobody cares that you're a dog or how the
digital identity relates to a physical person. The web offers social spaces
that can be detached from the social networks in the physical world, but
even in such detached networks trust and reputation is being built. That's
why we need WebId, the WebId is the DNA of your virtual personae which may
or may not be related to who you really are. With the web becoming more and
more an interactive place the traditional asymmetry between the
authenticated site and the unauthenticated user is no longer practicable.
With the online information sphere becoming the most important space for
social change linking the identities to legal entities can be more a risk
than a security feature.

Don't scare people away from security, its good to have 12 years of training
with 100+ topics however also that 1/2 day GnuPG training of your local
anarchists might cause an increase in the costs you cause to the secret
services (if they think you're interesting enough :) ). WebID is easier than
PGP and it integrates easily into the browser this is what will hopefully
make more people using it.

For the Web and the Internet to reach their full potential we need
end-to-end security with users capable of controlling they cryptographic
secrecy and identity they use, this decision cannot be delegated and are
highly context and application dependent. For this we do not need to invent
new technologies, its just about making existing decentralized security
concepts more web-friendly and thus more attractive.


Received on Thursday, 24 February 2011 09:57:19 UTC