Re: Web ID as passwordless authentication for debian web services
Quoting Stéphane Glondu (2013-05-17 08:14:13)
> Le 16/05/2013 18:37, Russ Allbery a écrit :
> >>> You could, in theory, switch to DNSSEC, but now you're just
> >>> replacing one CA cartel with another.
> >
> >> Except that with DNSSEC (and DANE), the number of people you have
> >> to trust is much smaller.
> >
> > Right, it depends on what your risk model is. If you're defending
> > against incompetence and/or commercial greed overriding security
> > practices, DNSSEC looks a lot more appealing than the CA cartel,
> > since there isn't the same level of commercial incentive to cut
> > corners and do a crappy job (there's some, but it's not as bad).
> > But if you're defending against governments, DNSSEC isn't going to
> > help. I think it's best to assume that both the US and Chinese
> > governments, at least, can make DNSSEC say what they want it to if
> > they ever needed to.
>
> That might be, but you already have to trust the "DNS cartel" anyway
> for resolving domain names (which is needed in WebID, BrowserID, ...).
> You don't have to give trust to new entities when using DNSSEC.
...as long as using WebID with DNS-based URIs.
Some may choose to use e.g. .onion-based WebID URIs (using custom
authentication mechanisms until more formally defined), where data
processing uses exact same tools, and where data can be intermixed with
more classic "cartel-infected" nodes.
...which means WebID allows for an evolutionary migration to cartel-free
web, for those wanting that but does not believe it can happen in one
go, and those wanting that for a subset of the internet while also
wanting to seemlesly exchange with legacy webs.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
Reply to: