W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2011

Re: Secure Email using WebID and Webfinger

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 26 Jan 2011 11:52:07 +0100
Cc: FOAF Protocols <foaf-protocols@lists.foaf-project.org>, public-xg-webid@w3.org
Message-Id: <C7DCFCCC-1700-42F5-A1DB-2CE926B6C487@bblfish.net>
To: Daniël Bos (远洋) <corani@gmail.com>
That is a good use case Daniel. 

At a later stage one could imagine even being able to
avoid WebFinger by having a new e-mail header such as Sent-by-WebID: . 

For the WebID spec it raises the question whether one might not need to publish
one's public keys even after they have expired - (one lost one's public
key or something). For example if someone sent me an e-mail on a certain
date that he signed I might still want to verify his signature. His 
public key could be thought as being valid until a certain date.
[ something to add to the issues list ? ]

As far as making e-mail safer, the foaf-protocols list came
up with a RESTful solution, that in my view would bypass the need
to do anything to the slow moving clients, and could even help us put
an end to e-mail completely. The idea is simply to think of blog
entries as e-mails written to the world. If you add access control
to a blog entry so that only one person can read it, and you find
a way to ping them using http://esw.w3.org/Pingback perhaps, then
they can come and read their mail. You need only then add an SMTP
to RESTful mail proxy, and you could read your RESTful mail with
a normal mail client.

  See the thread: http://markmail.org/thread/zi546wy4x6avbbff

Those solutions are not exclusive of course.


On 26 Jan 2011, at 07:55, Daniël Bos (远洋) wrote:

> I just wanted to share an idea I had recently:
> A couple of months ago it was shown on the list how a WebID
> certificate could be transformed into a PGP key-pair (I believe by
> Nathan). At the time I didn't pay a lot of attention to it, because
> using PGP is a bit of a pain in the b*tt because of the whole key
> distribution problem. Recently, however, I had a bit of an epiphany on
> how this could be made completely transparent and much more
> user-friendly. (I wrote up a blog post at:
> http://blog.loadingdata.nl/2011/01/secure-e-mail-using-webid/)
> What if we'd mix in a bit of Webfinger, and use the WebID profile as a
> way to get to someone's public key? When composing an email, upon
> entering the recipients email address, a smart email application can
> go off to do a Webfinger lookup and find the link to the user's WebID
> profile. From this profile it can find the recipients public key,
> which may be used to encrypt the message. On the other hand it can use
> it's own private key to sign the message, while the recipient can use
> the senders address to do the same lookup to get to the senders public
> key for verification.
> Now you can not only send email securely and private, but you can also
> use other information from a user's WebID profile to make the whole
> email experience a lot better. (collate messages from various email
> addresses under the same user, use the depiction, use address and
> birthday, take advantage of the social graph to partition email, etc.)
> -- 
> 远洋 / Daniël Bos
> email  : corani@gmail.com
> phone  : +31-318-711063 (Dutch) / +86-18-701330735 (Chinese)
> weblog : http://blog.loadingdata.nl/
> ostatus: corani@status.loadingdata.nl
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols@lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

Social Web Architect
Received on Wednesday, 26 January 2011 10:52:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:40 UTC