Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes: > On 05/14/2013 10:03 AM, Jonas Smedegaard wrote: > >> I have also thought WebID would be a perfect match for things like this. > [...] >> Daniel has raised concerns about WebID: >> http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/001030.html >> >> Quite frustrating, because I trust Daniels reasonings on crypto matters >> far better than my own, yet feel strongly that WebID is the right way to >> go for loosely coupled trust chains like this. >> >> I think the way forward is for someone understanding WebID deeply to >> explain it to Daniel and others working on Monkeysphere, to get it >> integrated there. >> >> As I understand it, technically the paperkey tool can be used to to >> flesh out the core crypto material from a GPG (sub!)key and wrapping >> that into an SSL key should be the way to go. But that alone is not >> enough: We also need trust in WebID from those in Debian deeply >> understanding crypto. >> >> Cc'ing Daniel, hoping he has time to shed some renewed light on this. > > Web ID as a key verification mechanism has problems with centralized > authority. Passwords have their own (distinct) set of serious problems, > as far as i can tell. > > However, if we use Web ID as a key discovery mechanism and use other > (non-centralized, non-third-party) mechanisms to validate the keys found > therein, that seems like one decent way forward. Do you have any thoughts on how that compares with using BrowserID/Persona? I'd got the impression that BrowserID has been put together learning from mistakes of OpenID & WebID, but perhaps I'm just swallowing their marketing. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
Attachment:
pgpTKNqO3aKe9.pgp
Description: PGP signature