On 05/16/2013 03:52 PM, Jonas Smedegaard wrote: > I think you are missing the potential for third-parties to make use of > identifiers without needing authentication. well, they still need to do authentication. For example, consider three (not necessarily incompatible) channels to tie authentication-capable public key material K to debian developer D (there could be more): A) we have an OpenPGP "Debian Keyring role key" that is held by the debian keyring maintainers in some form. that role key certifies OpenPGP certificates that bind K to D. B) we use a debian-specific CA (possibly one issued by the SPI CA with nameConstraints limited to the debian.org zone?) to issue an X.509 end-entity certificate that contains K and identifies the cert holder as D. C) we use WebID to publish key material K in some form at https://webid.debian.org/D The third party that wants to use this information still needs to authenticate it in each case: A) do they know that they have the right Debian Keyring role key? B) do they know about the debian-specific CA? do they have the right one? C) how do they authenticate the certificate for https://webid.debian.org/ ? If it's not via the CA cartel, what do they do? I'm sure there could be a D and an E and an F if you want to invent new mechanisms. --------- We can offer all of these channels of verification if we want to (though it's more work to publish and maintain these linkages in three channels than in one), and third parties who want to validate via one channel but aren't convinced by the others can just ignore the other ones. Regards, --dkg PS thanks for keeping me in the CC on this discussion.
Attachment:
signature.asc
Description: OpenPGP digital signature