[Freedombox-discuss] WebID
Jonas Smedegaard
dr at jones.dk
Sun Mar 6 18:27:14 UTC 2011
On Tue, Mar 01, 2011 at 07:51:07PM +0100, Melvin Carvalho wrote:
>On 1 March 2011 19:34, Jonas Smedegaard <dr at jones.dk> wrote:
>> On Tue, Mar 01, 2011 at 07:04:53PM +0100, Melvin Carvalho wrote:
>>>
>>> On 1 March 2011 18:44, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
>>> wrote:
>>>>
>>>> On 03/01/2011 12:33 PM, Melvin Carvalho wrote:
>>>>>
>>>>> But actually there is a way in the case of the Freedom Box,
>>>>> because you have the advantage of controlling your own server.
>>>>>
>>>>> Since you are already running a webserver and (hopefully) have
>>>>> control of your DNS.
>>>>>
>>>>> You can provide a two-way verification chain.
>>>>>
>>>>> 1. Your Person Profile publishes your public key. (this is a few
>>>>> lines of html5, should be easy)
>>>>> 2. Point your self-signed X.509 to your Freedom Box profile. This
>>>>> can be done by putting an entry in the SubjectAltName field of the
>>>>> cert, a common technique.
>>>>>
>>>>> This provides strong verification for all the X.509 tool chain and
>>>>> means you can talk security to any server using SSL/TLS which is
>>>>> most of them, providing strong authentication as a side product.
>>>>
>>>> This doesn't provide an adequate means of revocation, though. If
>>>> an attacker gets control over your key, and is able to repoint DNS,
>>>> then you cannot publish any revocation statement about this key
>>>> through this channel.
>>>
>>> If an attacker does gain these two points of control, and they knew
>>> what they were doing, you could have an issue yes.
>>>
>>> We need to scope out a revocation model, but I dont think it's that
>>> hard. May already be something existing, I'll have a check.
>>
>> Without plauing with it yet myself, I blindly assumed Monkeysphere
>> was usable for exactly this: use GPG web of trust to assure
>> certificates.
>>
>>
>>>> These two points are what i meant when i said that this model has
>>>> "no way of verifying/revoking these keys".
>>>>
>>>> I'm sure you could graft something like this onto <X.509+your
>>>> scheme above>; but OpenPGP already exists and handles these cases
>>>> pretty well. Why reinvent the wheel?
>>>
>>> Because X.509 is quite webby, and the web is the dominant ecosystem
>>> on the internet.
>>
>> more specifically: TLS allows for RESTful secure identity handling -
>> which helps save bandwidth as is is friendly to proxies and other
>> caching.
>>
>> http://www.w3.org/wiki/WebID
>
>Yes, exactly.
>
>There's a group that has now moved this a step closer to
>standardization with the a W3C Web Consortium Incubator Group.
>
>http://www.w3.org/2005/Incubator/webid/charter
>
>I know revocation has been raised as a topic. I normally listen in on
>the telecons, so I can report back on this topic, and any others people
>with to raise.
Awesome!
On a related note, I now (after fighting intensely with it for 3 days,
producing the needed 27 Debian packages) I have now packaged
libcgi-auth-foaf-ssl-perl which is a Perl implementation of WebID.
The work is now pending approval into Debian, and is also available
using the following APT line:
deb http://debian.jones.dk/ sid freedombox
I would appreciate any and all comments on these packages (and also do
tell me if you are interested in the field of RDF using Perl and need
other libraries packaged!).
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110306/a7634e6d/attachment.pgp>
More information about the Freedombox-discuss
mailing list