- From: Chris Bizer <chris@bizer.de>
- Date: Thu, 18 Mar 2004 11:50:08 +0100
- To: "Patrick Stickler" <patrick.stickler@nokia.com>
- Cc: "ext Jeremy Carroll" <jjc@hpl.hp.com>, <phayes@ihmc.us>, <www-archive@w3.org>, <jjc@hplb.hpl.hp.com>
> > OK, so either way, all we need is the swp:authority and swp:signature, > and then via the URI of the authority we obtain a certificate for the > authority, Yes. where the CA of that certificate is either the authority > itself (PGP) or is specified in the certificate (X509). > > Right? > Sorry, no. The idea with PGP's Web-of-Trust approach is that: 1. I get somehow convinced that a public key belongs to you (maybe by meeting you). 2. Thus I sign your public key with my private key creating a certificate for your public key. 3. Jeremy might do the same with my public key. Thus we end up with two certificates that we publish on a PGP key and certificate server (list of servers found at http://www.pgpi.org/services/keys/keyservers/) 4. If now Pat wants to decide if he trusts a public key which claims to belong to you, he gets the two certificates from the server. If Pat trusts Jeremy's public key, he can use the key to verify the certificate from Jeremy claiming that a public key belongs to me. With his information Pat can verify my certificate claiming that your key belongs to you. Thus following the decentralized certification chain Pat ends up with some trust in your key and might use it to verify a message you have signed. When these chains are becoming longer, things start to get fuzzy. But it is mainly the same approach we are proposing for assertion and the one Tim Berners-Lee proposes for rating information sources on the Semantic Web. Chris .
Received on Thursday, 18 March 2004 06:48:17 UTC