[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
On 10 Mar 2011, at 01:50, Clint Adams wrote:
> On Thu, Mar 10, 2011 at 12:11:01AM +0100, Melvin Carvalho wrote:
>>> WebID use SSL certificates, but do not require _centralized_ certificate
>>> authorities, Actually, due to requiring an unusual additional hint, some
>>> centralized CA autorities including CAcert.org cannot currently provide
>>> WebID compatible certificates.
>> Traditionally we've always 'self signed' our WebID certificates. So
>> there's no CA that needs to be in the loop. In fact, I dont know of
>> any instance WebID has *ever* been used with a CA, but I suppose it is
>> possible too. :)
> Okay, so if I control the hostname me.fb2fb in a hypothetical decentralized
> naming scheme, I generate a WebID at http://me.fb2fb/webid#me or something,
> and you can validate that the person who controls http://me.fb2fb/webid#me
> is the same person that claims to control me.fb2fb, correct?
The tools we use start with centralised naming scheme for the moment namely DNS. That of course gives it some chance of getting going easily, since the infrastructure is in place and very widely deployed.
It should be possible to have URLs with ip addresses, if you don't want to rely on DNS. But that may bring all kinds of issues too. It won't make the following easier:
> Now if I lose control over me.fb2fb, and someone else generates a new
> WebID at that URL, has that person now acquired my identity and credentials?
> If so, does WebID have any features that would mitigate this?
This is the equivalent in PGP land of loosing control of your private key. What do you do then?
Since the value of a WebID is its relation in a network, you should have all your friends remove their links to that WebID, or even have them specify that the URIs is outdated as a relation for you.
But one can imagine building other layers to make things more secure. The problem is that every layer you add will make adoption more difficult and create other issues. In the mean time FaceBook and clowns don't have anything stopping their momentum.
So one thing one could do is if you were to use a cryptokey/token card, would be to publish the relation to this key as a token cord one - ie, one that you can expect to keep for a long time. Your friends could then republish your relation to this key. Now if you loose your token card you'll have to go to all your friends to ask them to change that information in case someone relies on that. But servers that wish to be more secure could give you extra access rights if you use the token card key that all your friends say you have.
We have stuck with the simplest part for the moment, because it is enough to get the Social Web distributed. It will certainly be interesting once we have a few better implementations to see how we can add trust by people signing each others documents. But this is not an easy thing to get right.
Social Web Architect