[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
On Sat, Mar 12, 2011 at 04:20:59PM -0500, Boaz wrote:
>WebID is [not!] an authentication mechanism.
[proposal for new user-friendly P2P authentication mechanism]
>What does everyone think about all this?
Thank you very much. I think (and hope) that I got it now.
That _identifiaction_ mechanisms should not be confused with
I have seen _many_ places this emphasizing (e.g. explanations of OpenID,
that WebID page you also referred to, and also in a recent mail here on
the list from Daniel Kahn). And I thought I was aware of it (even felt
slightly annoyed when Daniel raised that point). But still I needed to
have it repeated once more.
But reading half-way through your email, I came up with a different
approach - which I dare present as a complementary one: Existing WoT!
When you installed that Windows or Mac system and started using it, you
trusted it to serve you - which includes trusting it to serve you in
establishing a discrete conversation via the untrusted internet. You
did not care if they invented their security mechanisms in-house or
bought it from, say, Verisign. That's irrelevant as a user!
Now you lost trust in that old system and bought a FreedomBox that you
use as proxy or filter or whatever. Again you do not care how these
geeks implements security mechanisms.
Point is, you already put a lot of trust in the _system_ and those
_selling_ it to you. Whether you are told "when the light is green,
then the box can be trusted" or "if you say banana bonanza into the
phone and the other end reads banana bonanza" is same shit: You trust
I propose that we by default use PGP. Not that we by default teach our
users to do keysigning (that's cool too, but a separate task), but that
we offer them to trust not only our box and its software, but also our
actual pre-established Web of Trust.
So let's offer our users, as a bootstrapping method of trust "fuel", our
existing PGP Web of Trust.
Let's ship FreedomBox with Monkeysphere preloaded with the content of
the Debian package "debian-keyring" - i.e. the WoT of Debian already
trusted for the code.
Sure let it be optional - our users can choose to switch to a different
WoT of their liking. Just as today users can choose to remove Verisign
from their web browser trust mechanism. With the difference that it is
a large _decentral_ trust mechanism used by default rather than a large
Then we can try invent a) ZRTP trust-noone-but-yourself-not-even-Debian,
PGP make-your-own-WoT, FOAF put-trust-in-friendships etc., independently
or - if possible - parallel trust mechanisms all governing concurrently.
Point is, all of them require user interface design if nothing else,
which makes them tough to implement (read: takes time). Hooking
existing Wot (Debian Developers) together using existing glue
(Monkeysphere) should take less time, I assume.
How does that sound?
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 836 bytes
Desc: Digital signature