Re: Secure Email using WebID and Webfinger

That is a good use case Daniel. 

At a later stage one could imagine even being able to
avoid WebFinger by having a new e-mail header such as Sent-by-WebID: . 

For the WebID spec it raises the question whether one might not need to publish
one's public keys even after they have expired - (one lost one's public
key or something). For example if someone sent me an e-mail on a certain
date that he signed I might still want to verify his signature. His 
public key could be thought as being valid until a certain date.
[ something to add to the issues list ? ]

As far as making e-mail safer, the foaf-protocols list came
up with a RESTful solution, that in my view would bypass the need
to do anything to the slow moving clients, and could even help us put
an end to e-mail completely. The idea is simply to think of blog
entries as e-mails written to the world. If you add access control
to a blog entry so that only one person can read it, and you find
a way to ping them using perhaps, then
they can come and read their mail. You need only then add an SMTP
to RESTful mail proxy, and you could read your RESTful mail with
a normal mail client.

  See the thread:

Those solutions are not exclusive of course.


On 26 Jan 2011, at 07:55, Daniël Bos (远洋) wrote:

> I just wanted to share an idea I had recently:
> A couple of months ago it was shown on the list how a WebID
> certificate could be transformed into a PGP key-pair (I believe by
> Nathan). At the time I didn't pay a lot of attention to it, because
> using PGP is a bit of a pain in the b*tt because of the whole key
> distribution problem. Recently, however, I had a bit of an epiphany on
> how this could be made completely transparent and much more
> user-friendly. (I wrote up a blog post at:
> What if we'd mix in a bit of Webfinger, and use the WebID profile as a
> way to get to someone's public key? When composing an email, upon
> entering the recipients email address, a smart email application can
> go off to do a Webfinger lookup and find the link to the user's WebID
> profile. From this profile it can find the recipients public key,
> which may be used to encrypt the message. On the other hand it can use
> it's own private key to sign the message, while the recipient can use
> the senders address to do the same lookup to get to the senders public
> key for verification.
> Now you can not only send email securely and private, but you can also
> use other information from a user's WebID profile to make the whole
> email experience a lot better. (collate messages from various email
> addresses under the same user, use the depiction, use address and
> birthday, take advantage of the social graph to partition email, etc.)
> -- 
> 远洋 / Daniël Bos
> email  :
> phone  : +31-318-711063 (Dutch) / +86-18-701330735 (Chinese)
> weblog :
> ostatus:
> _______________________________________________
> foaf-protocols mailing list

Social Web Architect

Received on Wednesday, 26 January 2011 10:52:43 UTC