[Freedombox-discuss] Friendika
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I had time to spare and watched your talk about "Philosophy and the
Social Web". Very interesting!
I have a number of questions about WebID. I hope there aren't too many;
they follow below.
> The server certificates work much better when relying on a CA of
> course. Without CA signed certificates the client or the server
> would not know if they have really reached the server. So there is
> an attack that is possible there. If that is not an issue that could
> be bypassed, especially in server to server configuration. Of course
> in that case each side should understand that the level of security
> is lower. But not lower than when we connect to http://google.com/ .
> (On the client side connecting to a server that is not CA enabled
> leads to ugly UI issues though.)
>
> Now I think it would be great if everything were behind https. Then
> when google gave us an answer we would not be in danger of receiving
> a man in the middle corrupted answer, sending us to some other fake
> page. Security itself is social. If Google is not secure than most
> things we do are not secure. If other web sites are not secure then
> google is not secure - cause Google's crawler's could be
> man-in-the-middled.
>
> But we can't get everything behind https if we _need_ to rely on
> CAs, as they are a bottleneck. DNS is not perfect but already a lot
> better. So people who want to help increase security there, should
> look at the IETF DANE work.
>
> http://datatracker.ietf.org/wg/dane/charter/
>
In the case of an authentication using WebID: John connects to a
service S, which during the authentication process connects to John's
server. Is DNSSec the solution being considered to make sure there is
no MITM when S connects to John's server?
About the way "identity is social":
How do you see WebID being used at wide in the social web, in the
future: I was wondering about how federated social networks currently
use, or interface with, WebID. At first it hadn't struck me as a
particularly appropriate mechanism on which to build social
networking, but in fact the http://myprofile-project.org/ manifesto
seems to be going in that direction (at the same time taking into
consideration the current flaws for social networking).
Next, what would be the possible ways of having multiple identities as
well as circles/groups (for friends, work, etc.): having multiple
WebIDs, or developing access control for clients accessing a WebID? (or
other?) I understand MyProfile is working on that sort of thing, among
others (according to their manifesto again).
Finally, how do you see possibility of pseudonymous identities with
WebID? Meaning an identity that can be controlled by a single person
(and only by that person, or whoever else that person mandates),
consistently through time, but which is impossible to link to that
physical person. My question refers to the authentication process, and
not possible linkage due to what Tor addresses, like ip, browser
fingerprinting and the like: would it be possible to have a
pseudonymous WebID, impossible to link to any physical person through
information gathered during authentication (which means that kind of
WebID can't reside on a personal server).
Or is it just not the right approach for pseudonymity?
Best regards,
- --
S?bastien Lerique
seblerique at wanadoo.fr | @wehlutyk on twitter/identi.ca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4eeB0ACgkQgkn/UaLvmGdAkQCdHzilAik3b6FYBurOuajYiwn/
GWoAnA5U0mVaI0HoFDRQUb0esxz5ka0b
=IIXd
-----END PGP SIGNATURE-----
Reply to: