[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] WebID

On Tue, Mar 01, 2011 at 07:51:07PM +0100, Melvin Carvalho wrote:
>On 1 March 2011 19:34, Jonas Smedegaard <dr at jones.dk> wrote:
>> On Tue, Mar 01, 2011 at 07:04:53PM +0100, Melvin Carvalho wrote:
>>> On 1 March 2011 18:44, Daniel Kahn Gillmor <dkg at fifthhorseman.net> 
>>> wrote:
>>>> On 03/01/2011 12:33 PM, Melvin Carvalho wrote:
>>>>> But actually there is a way in the case of the Freedom Box, 
>>>>> because you have the advantage of controlling your own server.
>>>>> Since you are already running a webserver and (hopefully) have 
>>>>> control of your DNS.
>>>>> You can provide a two-way verification chain.
>>>>> 1. Your Person Profile publishes your public key. ?(this is a few 
>>>>> lines of html5, should be easy)
>>>>> 2. Point your self-signed X.509 to your Freedom Box profile. ?This 
>>>>> can be done by putting an entry in the SubjectAltName field of the 
>>>>> cert, a common technique.
>>>>> This provides strong verification for all the X.509 tool chain and 
>>>>> means you can talk security to any server using SSL/TLS which is 
>>>>> most of them, providing strong authentication as a side product.
>>>> This doesn't provide an adequate means of revocation, though. ?If 
>>>> an attacker gets control over your key, and is able to repoint DNS, 
>>>> then you cannot publish any revocation statement about this key 
>>>> through this channel.
>>> If an attacker does gain these two points of control, and they knew 
>>> what they were doing, you could have an issue yes.
>>> We need to scope out a revocation model, but I dont think it's that 
>>> hard. ?May already be something existing, I'll have a check.
>> Without plauing with it yet myself, I blindly assumed Monkeysphere 
>> was usable for exactly this: use GPG web of trust to assure 
>> certificates.
>>>> These two points are what i meant when i said that this model has 
>>>> "no way of verifying/revoking these keys".
>>>> I'm sure you could graft something like this onto <X.509+your 
>>>> scheme above>; but OpenPGP already exists and handles these cases 
>>>> pretty well. ?Why reinvent the wheel?
>>> Because X.509 is quite webby, and the web is the dominant ecosystem 
>>> on the internet.
>> more specifically: TLS allows for RESTful secure identity handling - 
>> which helps save bandwidth as is is friendly to proxies and other 
>> caching.
>> http://www.w3.org/wiki/WebID
>Yes, exactly.
>There's a group that has now moved this a step closer to 
>standardization with the a W3C Web Consortium Incubator Group.
>I know revocation has been raised as a topic.  I normally listen in on 
>the telecons, so I can report back on this topic, and any others people 
>with to raise.


On a related note, I now (after fighting intensely with it for 3 days, 
producing the needed 27 Debian packages) I have now packaged 
libcgi-auth-foaf-ssl-perl which is a Perl implementation of WebID.

The work is now pending approval into Debian, and is also available 
using the following APT line:

  deb http://debian.jones.dk/ sid freedombox

I would appreciate any and all comments on these packages (and also do 
tell me if you are interested in the field of RDF using Perl and need 
other libraries packaged!).

 - Jonas

  * Jonas Smedegaard - idealist & Internet-arkitekt
  * Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110306/a7634e6d/attachment.pgp>

Reply to: