On 05/18/2013 12:08 PM, Olivier Berger wrote: > We do verify such trust chains every day for db.debian.org AFAIU (and of > course for uploads)... so provided a GPG public key is in our keyrings, > it can be used to "certify" a WebID document, by verifying that it has > been signed by the correct GPG key, right ? > > So, if I'm not trying to think too far of potential abuses, in pratical > terms, my understanding is that we may use WebID + TLS for Debian, > provided that we only trust FOAF/WebID documents signed with GPG by > Debian participants which would have been registered in a DB of ours as > allowing the use of a (remote) WebID, such registration being made with > the same GPG key's signature (for instance using the mail gateway of > db.debian.org). > > Then such WebID could be trusted by Debian to provide meta-data about > the Debian project member, and could be used to authenticate to Debian > servers in a password-less way, using their associated TLS cert. You've described several steps of cryptographic check that could be done here. At least one of the critical steps seems to rely on OpenPGP data signatures (as opposed to OpenPGP identity certifications), if i'm understanding your proposal correctly. Other steps also rely on OpenPGP identity certifications (in contrast to OpenPGP data signatures). It's not clear to me how i might revoke an OpenPGP data signature (i.e. a signature over a document) or what a data signature with an expiration date would mean; but OpenPGP expiration and revocation semantics are well-understood and already implemented when looking at OpenPGP identity certifications. If the only thing that the cryptographic signature is used for is the assertion of identity information coupled with a claim of public key material, then just using a standard OpenPGP identity certification seems like the simplest thing -- you already need to be able to rely on such a claim in the first place for potential signing-capable subkeys (and their subkey-binding certifications). I understand how debian's web services might make use of identity certification this way; I haven't yet heard an explanation for what advantages debian would get as an organization for any of the linked-data sort of material, and one isn't springing to mind for me (though i might just be insufficiently imaginative). I share the hesitance that both Russ and Jonas have expressed about encouraging public participation in the publication of rich social graphs, so i tend to lean toward the idea of just publishing identity certifications (if that's all debian needs) and leaving out the other features until it becomes clear that we have a real use case for them. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature