Re: Web ID as passwordless authentication for debian web services

To: debian-devel@lists.debian.org
Subject: Re: Web ID as passwordless authentication for debian web services
From: Stéphane Glondu <glondu@debian.org>
Date: Fri, 17 May 2013 08:14:13 +0200
Message-id: <[🔎] 5195CAB5.8090708@debian.org>
In-reply-to: <[🔎] 87li7ekhjh.fsf@windlord.stanford.edu>
References: <[🔎] 87y5btehw3.fsf@gkar.ganneff.de> <[🔎] 20130506070543.GE25004@x230-buxy.home.ouaza.com> <[🔎] 87haif7vkv.fsf@gkar.ganneff.de> <[🔎] 20130507062252.GA32129@x230-buxy.home.ouaza.com> <[🔎] 87haibnb9y.fsf@windlord.stanford.edu> <[🔎] 8738tpwxtk.fsf@inf-8657.int-evry.fr> <[🔎] 20130514140321.23166.32356@bastian.jones.dk> <[🔎] 5193133C.7050506@fifthhorseman.net> <[🔎] 87li7fy6am.fsf@poker.hands.com> <[🔎] 51949F6F.3010700@debian.org> <[🔎] 20130516102031.29499.62330@bastian.jones.dk> <[🔎] 87r4h7kk2r.fsf@windlord.stanford.edu> <[🔎] 519506ED.6030002@debian.org> <[🔎] 87li7ekhjh.fsf@windlord.stanford.edu>

Le 16/05/2013 18:37, Russ Allbery a écrit :
>>> You could, in theory, switch to DNSSEC, but now you're just replacing
>>> one CA cartel with another.
> 
>> Except that with DNSSEC (and DANE), the number of people you have to
>> trust is much smaller.
> 
> Right, it depends on what your risk model is.  If you're defending against
> incompetence and/or commercial greed overriding security practices, DNSSEC
> looks a lot more appealing than the CA cartel, since there isn't the same
> level of commercial incentive to cut corners and do a crappy job (there's
> some, but it's not as bad).  But if you're defending against governments,
> DNSSEC isn't going to help.  I think it's best to assume that both the US
> and Chinese governments, at least, can make DNSSEC say what they want it
> to if they ever needed to.

That might be, but you already have to trust the "DNS cartel" anyway for
resolving domain names (which is needed in WebID, BrowserID, ...). You
don't have to give trust to new entities when using DNSSEC.

-- 
Stéphane

Reply to:

Follow-Ups:
- Re: Web ID as passwordless authentication for debian web services
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>

References:
- Developer repositories for Debian
  - From: Joerg Jaspert <joerg@ganneff.de>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Developer repositories for Debian
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: Developer repositories for Debian
  - From: Russ Allbery <rra@debian.org>
- Re: Developer repositories for Debian
  - From: Olivier Berger <obergix@debian.org>
- Re: Developer repositories for Debian
  - From: Jonas Smedegaard <dr@jones.dk>
- Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Philip Hands <phil@hands.com>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Stéphane Glondu <glondu@debian.org>
- Re: Web ID as passwordless authentication for debian web services [was: Re: Developer repositories for Debian]
  - From: Jonas Smedegaard <dr@jones.dk>
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Web ID as passwordless authentication for debian web services
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Do opaque struct changes break C library ABIs
Next by Date: Re: Apport for Debian
Previous by thread: Re: Web ID as passwordless authentication for debian web services
Next by thread: Re: Web ID as passwordless authentication for debian web services
Index(es):
- Date
- Thread