[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
On Thu, Mar 10, 2011 at 12:23:59PM +0100, Jonas Smedegaard wrote:
> On Thu, Mar 10, 2011 at 02:55:08AM +0100, bertagaz at ptitcanardnoir.org wrote:
> >Then how does the authentification part works? Is there a web of
> >trust, or a way to be sure a X.509 cert belongs to a certain ID?
> WebID is technically called FOAF+SSL.
> It is a FOAF resource which includes claims of its own URL and a
> public key that is governing it. And it is a client certificate
> containing a URL referencing that FOAF.
> So when presenting the client certificate, it can be verified by
> checking that the URL it references does indeed contain that same
> public key as the client certificate.
> Instead of trying to shoot down above, please read up on it first.
> I am not an engineer of WebID nor an expert in the security parts of
So why in your previous mail are you saying we can?
My point is not to shoot something, just trying to understand. My
questions were similar to the one Daniel asked, maybe in a more naive way.
I've read papers   before asking, but it's still unclear how this
identity verification and web of trust is working.
As you seem to work on this, and push the adoption of this technology in
this project I thought you were the right one to ask...
At some point it sounds to me that this project is trying to implement
stuffs gnupg already support, but on top of X.509. Sure it has other
features as you explain (like this interesting different rings of
relationships), but I don't get why they want to do it over X.509 rather
than gnupg, which is more robust.
 Other people did have this debate :
 http://blogs.sun.com/bblfish/entry/foaf_ssl_pki_and_the (explains
nothing), linked from http://docs.openlinksw.com/virtuoso/vfoafssl.html
as something that would explain the mechanism.