[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] FOAF developers taking FreedomBox into their equation

On Thu, Mar 10, 2011 at 06:09:40PM -0500, Daniel Kahn Gillmor wrote:
>On 03/10/2011 04:27 PM, Henry Story wrote:
>> You get other very valuable pieces: linked data being the most 
>> important. The success of the web tells you haw important hyper text 
>> was. Hyper data won't be different.
>If you tell me "let's use FOAF to publish relationship data", i'll say
>"great! that sounds lovely, and i haven't heard a better proposal".

I say "let's use FOAF to manage relationship data at the core of 
FreedomBox, consumable *both* internally by relevant apps *and* 
externally for exchange sensible data between trusted peers and 
publishing non-sensible (if any) data in public."

I also say "let's offer web-of-trust as an end-user feature - i.e. let's 
tie GPG and/or tinyca to that same core FOAF storage, allowing users to 
maintain trust in their _peers_ instead of separately keep track of GPG 
keyrings, SSL CA trustlists, email addressbooks, chat rosters etc."

I imagine that integrated gardening of trust network and friendships 
_improve_ the quality of trust network for our users.

Do you agree so far?

If not, do you expect our users to handle GPG keysigning like us geeks 
do it, or how do you imagine normal humans to grow and maintain their 
own web of trust?

>But this discussion has been about using WebID as an *authentication* 
>mechanism -- that is, a way to bind a real-world entity to a name (in 
>the WebID case, the name is the URI) to a public key.
>My point is simply that WebID does not address this question of 
>authentication.  Rather, it punts it to the current CA cartel.  We 
>shouldn't be doing that if our goal is to avoid centralized control.

I feel you are mixing two different issues here, and it is not really 
WebID you are critisizing but classic hierarchical DNS.

Seems to me - still after this interesting discussion - that self-signed 
SSL certificates are adequate for deploying WebID.  Sure, that does not 
ensure initial connection for new relationships but that seems to me 
similar to the bootstrapping of a completely virgin PGP key.

Even with an untrusted DNS, it is my understanding that self-signed 
certification cannot be hijacked without notice.

Sorry if I am dense: could you try explain to me why self-signed 
certificates or peer-coordinated CA trust metrics are irrelevant for use 
with WebID?

I believe we are not trying to figure out a way to trust the whole World 
Wide Web, just maintain trust in peer FreedomBoxes not being 
man-in-the-middle attacked.


  - Jonas

  * Jonas Smedegaard - idealist & Internet-arkitekt
  * Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110311/23f3c730/attachment.pgp>

Reply to: