Re: Developer repositories for Debian

To: debian-devel@lists.debian.org
Subject: Re: Developer repositories for Debian
From: Russ Allbery <rra@debian.org>
Date: Tue, 14 May 2013 09:53:48 -0700
Message-id: <[🔎] 87k3n14i5f.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20130514140321.23166.32356@bastian.jones.dk> (Jonas Smedegaard's message of "Tue, 14 May 2013 16:03:21 +0200")
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 20130506070543.GE25004@x230-buxy.home.ouaza.com> <[🔎] 87haif7vkv.fsf@gkar.ganneff.de> <[🔎] 20130507062252.GA32129@x230-buxy.home.ouaza.com> <[🔎] 87haibnb9y.fsf@windlord.stanford.edu> <[🔎] 8738tpwxtk.fsf@inf-8657.int-evry.fr> <[🔎] 20130514140321.23166.32356@bastian.jones.dk>

Jonas Smedegaard <dr@jones.dk> writes:
> Quoting Olivier Berger (2013-05-14 14:27:51)

>> I'm not so sure how GPG integrates in the WebID landscape, but it seems
>> to me that WebID, based on Linked Data principles has some similarity
>> with Web of Trust concepts well known in the GPG system.

> Daniel has raised concerns about WebID: 
> http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/001030.html

> Quite frustrating, because I trust Daniels reasonings on crypto matters
> far better than my own, yet feel strongly that WebID is the right way to
> go for loosely coupled trust chains like this.

I'd never heard of WebID before this thread, but looking briefly at the
spec, I share Daniel's concerns.  I don't see how this eliminates reliance
on the normal CAs.  You still have to do certificate validation to be able
to trust the link between URL and keypair, and the WebID protocol provides
no way to do that certificate validation other than the normal CA process
(and doesn't provide any alternative CA).

If you're going to trust the normal CAs anyway, all that WebID is really
giving you is the ability to add additional metadata to the user's public
certificate by publishing it at a linked URL; you're still trusting the
public CAs implicitly to verify that user's certificate.

Furthermore, you're not even using a direct CA signature, but rather are
using the server certificate of the web server the user gives you in the
URL to validate that their *client* certificate is owned by them.  I
haven't fully thought through the implications of that, but at first
glance it strikes me as a repurposing of authentication data in a way that
isn't theoretically sound.

WebID is trying to solve both the authentication problem and the
distributed identity management problem.  Do we actually need the identity
management functionality?  If not, then the FOAF data isn't needed, and an
X.509 certificate from a Debian CA that issues certificates based on
GnuPG-signed requests would be sufficient for us to bootstrap our own
X.509 infrastructure without all the additional complexity of WebID.
(With the caveat, as mentioned previously, that we'd have to do some
thinking about expiration times and revocation.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Developer repositories for Debian
  - From: obergix@debian.org

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Developer repositories for Debian
  - From: Olivier Berger <obergix@debian.org>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>

Prev by Date: Re: jessie release goals
Next by Date: Re: jessie release goals
Previous by thread: Re: Developer repositories for Debian
Next by thread: Re: Developer repositories for Debian
Index(es):
- Date
- Thread