- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Sun, 30 Sep 2012 15:05:06 -0400
- To: public-xg-webid@w3.org
- Message-ID: <506897E2.70105@openlinksw.com>
On 9/30/12 2:07 PM, Henry Story wrote: > I just realised something interesting. > > Initially I thought this is problematic. It won't prove anything. > But I now think I was wrong. WebID verification on this e-mail > will tell you that I am http://bblfish.net/people/henry/card#me > (I think it is still signing). Of course this would require adding a plugin > to the e-mail client for this to work fluidly. > > But the neat thing is that if your prove that then you also prove than > > <http://bblfish.net/people/henry/card#me> owl:sameAs <mailto:henry.story@bblfish.net> > > since the e-mail was sent by someone who had access to the private key of > <http://bblfish.net/people/henry/card#me> > > So there is no need to add the e-mail to the certificate! Correct, but if you don't add an email address to the cert. many email clients will refuse to use the certificate for email signing. Likewise, when these email clients received signed emails where the certificate is missing an email address. This has to always be about working with existing technologies (for better or worse) en route to it being the WebID and Linked Data appreciation vector that I envisage. > > Well not quite. Forging e-mail from fields is probably quite easy. So > you would know it was sent by someone with WebID > <http://bblfish.net/people/henry/card#me> > But you'd still have the question if it was a forged from field. > And now it all depends on who you trust more: the http webid or the > e-mail address. If you have a serious graph of relationships based > on https WebIDs, the webid may give you enough trust of who i am. > Also this at least reaches the level of security of current password > verification schemes on the internet. > > So webfinger could help a bit but > http://tools.ietf.org/html/draft-hoffman-dane-smime-04 > would help a lot more ( if I have understood it as placing in dns the > signing certificate for certs containing e-mail sans ) > > What adding the e-mail to the certificate gives you for sure is if you want to > send me an encrypted mail. Then if you have only my e-mail you'd need > to do a lookup from my e-mail to find my webid. WebFinger would help there. > But it would be insecure - unless they have found a way to specify a > default over https. > > Interestingly draft-hoffman won't help here either because you can't from > the signer of my certificate work out what my public key is. They'd have > to put the certificate for each user with an e-mail in DNSSEC, but then > DNSSEC would become an e-mail lookup system ready for spamming people. > > So we have a situation where a WebID in an e-mail cert goes a lot further > than I thought! But it is not quite optimal yet. It is optimal. You can look up the profile of an email sender without writing a single line of code. Beyond that, you can use IMAP4 to cleanup and organize your mailboxes based on WebID based ACLs and rules. All of this has long been achieved, and we'll soon unveil a lot more on this front for consumer grade exploitation :-) Kingsley > > Henry > > > On 28 Sep 2012, at 15:07, Henry Story <henry.story@bblfish.net> wrote: > >> Btw. this follows up on a discussion on the IETF DANE mailing list and the WebID lists, that relates to an IETF proposal to use store signatures in DNSSEC using DANE. In this last part I think I found a reasonable picture of how these can interact. >> >> http://lists.w3.org/Archives/Public/public-webid/2012Sep/0163.html >> >> >> Henry >> >> PS. Thanks to Kingsley for helping me use my WebID Certificate to sign e-mails >> >> >> On 28 Sep 2012, at 13:36, Kingsley Idehen <kidehen@openlinksw.com> wrote: >> >>> All, >>> >>> Bootstrapping anything on the Web requires technology implementer to use (dog-food) whatever technology they seek to promote to others. Thus, I would like to encourage every participant in the RWW and WebID community groups to make a best-effort to start signing emails, moving forward. >>> >>> Naturally, these emails should be signed using an WebID watermarked X.509 certificate. Certificate generation choices include: >>> >>> 1. Native generators that come with your desktop OS -- Mac OS X, Windows, and Linux all include such a utility >>> 2. Certificate generators from WebID IdPs -- I have a list here: http://delicious.com/kidehen/webid+webid_idp (ping me if you have a generator that's unlisted) . >>> >>> Over the last year or so, I've written a number of how-to guides [1] covering how to sign emails across all the major native email clients. >>> >>> Once again, if we don't sign our emails we loose a simple opportunity to showcase the utility of WebIDs and the WebID authentication protocol. Being able to follow-your-nose from a WebID that watermarks an email senders certificate is a very simple utility showcase for both WebID and Linked Data. >>> >>> We can do this! >>> >>> Links: >>> >>> 1. http://bit.ly/VTnxzz -- collection of G+ hosted howtos (for all the major native email clients) covering how to digitally sign emails . >>> >>> -- >>> >>> Regards, >>> >>> Kingsley Idehen >>> Founder & CEO >>> OpenLink Software >>> Company Web: http://www.openlinksw.com >>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen >>> Twitter/Identi.ca handle: @kidehen >>> Google+ Profile: https://plus.google.com/112399767740508618350/about >>> LinkedIn Profile: http://www.linkedin.com/in/kidehen >>> >>> >>> >>> >>> >> Social Web Architect >> http://bblfish.net/ >> > Social Web Architect > http://bblfish.net/ > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Sunday, 30 September 2012 19:05:29 UTC