Re: [foaf-dev] RDFAuth: an initial sketch

Just got back from the pub here (11pm), so...

On 27 Mar 2008, at 22:26, Kjetil Kjernsmo wrote:
> On Thursday 27 March 2008, Story Henry wrote:
>> 7. Juliette uses the answer in 6 to GET the PGP key.
>>     (what to do if someone has more that one PGP key?)
>>
>> 8. Romeo's server returns the PGP key
>
> I think the critical issue to be considered in any system that uses  
> PGP
> is "how do you establish the trust network?" For all I know, you're  
> not
> Henry at all, you're Mallory, but you just created a key with Henry's
> name and email on. Baaaaad Mallory! (and oh, my client screamed that
> this message had an invalid signature at me).

I think this problem does not come up in this use case.
When in stage 9 Juliette's foaf server has decrypted the encrypted  
string
it knows that the User Agent sending the request has access to
<http://romeo.name/#romeo>'s private key.

Now how the server comes to trust "http://romeo.name/#romeo" is a  
different problem.
It could be that Romeo gave Juliette a business card with that URL on  
it.
It could be that Juliette has a policy such as DIG's of trusting  
friends of friends
see: http://dig.csail.mit.edu/breadcrumbs/node/206
So she takes the foaf files of a few of her best friends and decides  
to trust all of the people
who have a relationship to depth 3 with those people as specified by  
her foaf file.

How you establish your trust network is up to you.

PGP is just very helpful in this case because it helps link the owner  
of the User Agent to a foaf file.
This is what OpenID does, but it requires a lot of redirects, and a  
server to process the information. PGP removes that bottleneck.
And also once it becomes widespread, it can become very useful in a  
huge number of other applications.


> There are of course various ways to establish those trusted links,  
> but I
> think that when you use something as powerful as PGP, you might want  
> to
> be careful. There is little point in PGP if your way of establishing
> trust is weak, then the trust network will be the point of attack
> anyway. As a minimum policy, I only sign keys of people I meet face to
> face and that they have a photo ID that looks reasonably official.
>
> PGP is great, and I'm always open to signing and to organise key  
> signing
> parties, but I think that requiring PGP is hindering adoption to the
> extent where it is not very useful. I think that rather than requiring
> PGP, you could create system where a trust metric is influenced by how
> the trust is established, and then a PGP-hardened social network would
> be trusted more than a random foaf:knows triple found somewhere on the
> net...
>
> So, for example, in Phil's child-abuse case, information could only be
> shared in encrypted form between trusted parties.
>
> Cheers,
>
> Kjetil
> -- 
> Kjetil Kjernsmo
> Programmer / Astrophysicist / Ski-orienteer / Orienteer / Mountaineer
> kjetil@kjernsmo.net
> Homepage: http://www.kjetil.kjernsmo.net/     OpenPGP KeyID: 6A6A0BBC