[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developer repositories for Debian

Quoting Olivier Berger (2013-05-14 14:27:51)
> Russ Allbery <rra@debian.org> writes:
> 
> > Raphael Hertzog <hertzog@debian.org> writes:
> >> On Mon, 06 May 2013, Joerg Jaspert wrote:
> >
> >>> Nah, the webinterface just should end up like the DAM 
> >>> webinterface: You do whatever you need, then click a button - and 
> >>> voila, there is everything ready to copy/paste into a MUA. Send 
> >>> with sig, done.
> >
> >> Why? This is just a band-aid and not what I would call a web 
> >> interface. And except lazyness I don't see a good reason for that. 
> >> Web interfaces can be secure (and with an audit trail in case of 
> >> breach). After all we can manage our Debian passwords over a web 
> >> interface...
> >
> > That level of security isn't great, though.  GPG keys are much more 
> > secure than that password.  What we would want for equivalent 
> > security in a web interface is personal X.509 certificates.
> >
> 
> WebID [0] could be useful in this respect. It includes the use of SSL 
> certs for authentication, in addition to other benefits (see some 
> discussion in the thread at [1]).

I have also thought WebID would be a perfect match for things like this.


> > I think it would be interesting to have that infrastructure in 
> > place, but someone would need to build it (probably with some 
> > mechanism to bootstrap GPG keys into X.509 certificates -- and be 
> > careful of expiration times and figure out a good way to deal with 
> > revocation).
> >
> 
> I'm not so sure how GPG integrates in the WebID landscape, but it 
> seems to me that WebID, based on Linked Data principles has some 
> similarity with Web of Trust concepts well known in the GPG system.

Daniel has raised concerns about WebID: 
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/001030.html

Quite frustrating, because I trust Daniels reasonings on crypto matters 
far better than my own, yet feel strongly that WebID is the right way to 
go for loosely coupled trust chains like this.

I think the way forward is for someone understanding WebID deeply to 
explain it to Daniel and others working on Monkeysphere, to get it 
integrated there.

As I understand it, technically the paperkey tool can be used to to 
flesh out the core crypto material from a GPG (sub!)key and wrapping 
that into an SSL key should be the way to go.  But that alone is not 
enough: We also need trust in WebID from those in Debian deeply 
understanding crypto.

Cc'ing Daniel, hoping he has time to shed some renewed light on this.


 - Jonas

[interest]: 
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/000836.html

[scepticism]: 
http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-August/002426.html

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
Reply to: