Re: Developer repositories for Debian
Quoting Olivier Berger (2013-05-14 14:27:51)
> Russ Allbery <rra@debian.org> writes:
>
> > Raphael Hertzog <hertzog@debian.org> writes:
> >> On Mon, 06 May 2013, Joerg Jaspert wrote:
> >
> >>> Nah, the webinterface just should end up like the DAM
> >>> webinterface: You do whatever you need, then click a button - and
> >>> voila, there is everything ready to copy/paste into a MUA. Send
> >>> with sig, done.
> >
> >> Why? This is just a band-aid and not what I would call a web
> >> interface. And except lazyness I don't see a good reason for that.
> >> Web interfaces can be secure (and with an audit trail in case of
> >> breach). After all we can manage our Debian passwords over a web
> >> interface...
> >
> > That level of security isn't great, though. GPG keys are much more
> > secure than that password. What we would want for equivalent
> > security in a web interface is personal X.509 certificates.
> >
>
> WebID [0] could be useful in this respect. It includes the use of SSL
> certs for authentication, in addition to other benefits (see some
> discussion in the thread at [1]).
I have also thought WebID would be a perfect match for things like this.
> > I think it would be interesting to have that infrastructure in
> > place, but someone would need to build it (probably with some
> > mechanism to bootstrap GPG keys into X.509 certificates -- and be
> > careful of expiration times and figure out a good way to deal with
> > revocation).
> >
>
> I'm not so sure how GPG integrates in the WebID landscape, but it
> seems to me that WebID, based on Linked Data principles has some
> similarity with Web of Trust concepts well known in the GPG system.
Daniel has raised concerns about WebID:
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/001030.html
Quite frustrating, because I trust Daniels reasonings on crypto matters
far better than my own, yet feel strongly that WebID is the right way to
go for loosely coupled trust chains like this.
I think the way forward is for someone understanding WebID deeply to
explain it to Daniel and others working on Monkeysphere, to get it
integrated there.
As I understand it, technically the paperkey tool can be used to to
flesh out the core crypto material from a GPG (sub!)key and wrapping
that into an SSL key should be the way to go. But that alone is not
enough: We also need trust in WebID from those in Debian deeply
understanding crypto.
Cc'ing Daniel, hoping he has time to shed some renewed light on this.
- Jonas
[interest]:
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/000836.html
[scepticism]:
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-August/002426.html
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
Reply to: