W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

Fwd: [Freedombox-discuss] WebID

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 6 Mar 2011 19:56:25 +0100
Message-ID: <AANLkTikaVX=hF-xj8SV=A-KVoiKmEm3CL=0L8PhrAZzP@mail.gmail.com>
To: foaf-protocols@lists.foaf-project.org, WebID XG <public-xg-webid@w3.org>, Inkster Toby <mail@tobyinkster.co.uk>

WebID + perl implementation in debian

---------- Forwarded message ----------
From: Jonas Smedegaard <dr@jones.dk>
Date: 6 March 2011 19:27
Subject: [Freedombox-discuss] WebID
To: freedombox-discuss@lists.alioth.debian.org

On Tue, Mar 01, 2011 at 07:51:07PM +0100, Melvin Carvalho wrote:
> On 1 March 2011 19:34, Jonas Smedegaard <dr@jones.dk> wrote:
>> On Tue, Mar 01, 2011 at 07:04:53PM +0100, Melvin Carvalho wrote:
>>> On 1 March 2011 18:44, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>>>> On 03/01/2011 12:33 PM, Melvin Carvalho wrote:
>>>>> But actually there is a way in the case of the Freedom Box, because you have the advantage of controlling your own server.
>>>>> Since you are already running a webserver and (hopefully) have control of your DNS.
>>>>> You can provide a two-way verification chain.
>>>>> 1. Your Person Profile publishes your public key.  (this is a few lines of html5, should be easy)
>>>>> 2. Point your self-signed X.509 to your Freedom Box profile.  This can be done by putting an entry in the SubjectAltName field of the cert, a common technique.
>>>>> This provides strong verification for all the X.509 tool chain and means you can talk security to any server using SSL/TLS which is most of them, providing strong authentication as a side product.
>>>> This doesn't provide an adequate means of revocation, though.  If an attacker gets control over your key, and is able to repoint DNS, then you cannot publish any revocation statement about this key through this channel.
>>> If an attacker does gain these two points of control, and they knew what they were doing, you could have an issue yes.
>>> We need to scope out a revocation model, but I dont think it's that hard.  May already be something existing, I'll have a check.
>> Without plauing with it yet myself, I blindly assumed Monkeysphere was usable for exactly this: use GPG web of trust to assure certificates.
>>>> These two points are what i meant when i said that this model has "no way of verifying/revoking these keys".
>>>> I'm sure you could graft something like this onto <X.509+your scheme above>; but OpenPGP already exists and handles these cases pretty well.  Why reinvent the wheel?
>>> Because X.509 is quite webby, and the web is the dominant ecosystem on the internet.
>> more specifically: TLS allows for RESTful secure identity handling - which helps save bandwidth as is is friendly to proxies and other caching.
>> http://www.w3.org/wiki/WebID
> Yes, exactly.
> There's a group that has now moved this a step closer to standardization with the a W3C Web Consortium Incubator Group.
> http://www.w3.org/2005/Incubator/webid/charter
> I know revocation has been raised as a topic.  I normally listen in on the telecons, so I can report back on this topic, and any others people with to raise.


On a related note, I now (after fighting intensely with it for 3 days,
producing the needed 27 Debian packages) I have now packaged
libcgi-auth-foaf-ssl-perl which is a Perl implementation of WebID.

The work is now pending approval into Debian, and is also available
using the following APT line:

 deb http://debian.jones.dk/ sid freedombox

I would appreciate any and all comments on these packages (and also do
tell me if you are interested in the field of RDF using Perl and need
other libraries packaged!).

- Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Version: GnuPG v1.4.11 (GNU/Linux)


Freedombox-discuss mailing list

Received on Sunday, 6 March 2011 18:56:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:42 UTC