[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
On 03/10/2011 04:27 PM, Henry Story wrote:
> yes, I don't think there is a miracle solution. This one could be better than
> what we have now, which is the same, except that DNS can be broken any moment and we rely on a distributed cartel.
Yeah, what we have now sucks. And the CA cartel isn't even distributed
in the common sense of the term. That is, you'd expect a distributed
system to be robust in the face of the failure of one (or several) of
its constituent elements. The CA cartel is a *weakest-link* set due to
the current policies of most X.509-consuming clients -- you only need to
compromise one member of the cartel to compromise every client.
> I'd be interested in seeing how WebID can be tied into PGP. There is no reason it could not... I know one can put an e-mail into a PGP certificate. Can one put a URL there too? Like a Subject Alternative Name?
> What is useful if you look at the FAQ is that WebID also allows you through the reference to build a much richer and changeable profile that you would ever want to put into a certificate.
> (I am not being fair to PGP there perhaps, but then I am waiting for feedback)
> This allows others to link to you, and so create a web of trust - using the word 'web' here in the same way as it is used in World Wide Web.
> Or are you just totally against URLs?
i'll put defer these points briefly -- i have sketches of plans to try
to tie OpenPGP certificates into X.509 in simpler ways that RFC 6091,
but i have not been able to find the time to make them presentable yet.
Feel free to poke me about it :)
> You get other very valuable pieces: linked data being the most important. The success of the web tells you haw important hyper text was. Hyper data won't be different.
If you tell me "let's use FOAF to publish relationship data", i'll say
"great! that sounds lovely, and i haven't heard a better proposal".
But this discussion has been about using WebID as an *authentication*
mechanism -- that is, a way to bind a real-world entity to a name (in
the WebID case, the name is the URI) to a public key.
My point is simply that WebID does not address this question of
authentication. Rather, it punts it to the current CA cartel. We
shouldn't be doing that if our goal is to avoid centralized control.
Note also that i do *not* consider cryptographic certifications of
identity to be the sum total of relationship data. They are
(deliberately) a *very* small set of all possible relationship data.
PS i still have qualms about how much i want my actual relationship data
(as opposed to mere identity certifications) published. I'm glad that
the WebID folks are considering ways to support access control for that
kind of information, rather than assuming that everyone wants to publish
their entire set of "friends" to everyone else.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1030 bytes
Desc: OpenPGP digital signature