- From: Reto Bachmann-Gmuer <reto.bachmann@trialox.org>
- Date: Thu, 24 Feb 2011 10:56:30 +0100
- To: peter williams <home_pw@msn.com>
- Cc: nathan@webr3.org, WebID XG <public-xg-webid@w3.org>
- Message-ID: <AANLkTi=CYKMTGfoWahgBEM8HqjO_BvuBjs=k12XMwL7q@mail.gmail.com>
On Wed, Feb 23, 2011 at 7:17 PM, peter williams <home_pw@msn.com> wrote: > > We cannot rearchitect internet security - and this seems the underlying > goal. It's not realistic. The mail overload on now many topics should have > shown that its not feasible - as there are 100+ topics more, yet. Effective > commodity internet security requires dominance of 12+ disciplines at 80% > competency - as 75,000 CISSP certified folks doing internet security every > day know. > I think there are fundamental differences between "Internet Security" and what WebId offers. Internet Security is mainly driven by the concerns of corporation who want to have secure communication while using the cheap internet infrastructure. For this legal identities have to be mapped to cryptographic identities and security is ideally hidden away from the user to the lower level protocols. The vision here is to have save citadels on an insecure net. Where interaction with the rest of the world is necessary https-sites combined with various form of client authentication (as people seemed reluctant to just walk around with digital-id) should assure that the customer's is (in terms of what the passport owned) who the company thinks he is. WebId is fundamentally different. It arises from the decentralized architecture of the web, where nobody cares that you're a dog or how the digital identity relates to a physical person. The web offers social spaces that can be detached from the social networks in the physical world, but even in such detached networks trust and reputation is being built. That's why we need WebId, the WebId is the DNA of your virtual personae which may or may not be related to who you really are. With the web becoming more and more an interactive place the traditional asymmetry between the authenticated site and the unauthenticated user is no longer practicable. With the online information sphere becoming the most important space for social change linking the identities to legal entities can be more a risk than a security feature. Don't scare people away from security, its good to have 12 years of training with 100+ topics however also that 1/2 day GnuPG training of your local anarchists might cause an increase in the costs you cause to the secret services (if they think you're interesting enough :) ). WebID is easier than PGP and it integrates easily into the browser this is what will hopefully make more people using it. For the Web and the Internet to reach their full potential we need end-to-end security with users capable of controlling they cryptographic secrecy and identity they use, this decision cannot be delegated and are highly context and application dependent. For this we do not need to invent new technologies, its just about making existing decentralized security concepts more web-friendly and thus more attractive. Reto
Received on Thursday, 24 February 2011 09:57:19 UTC