[Freedombox-discuss] FOAF developers taking FreedomBox into their equation

Thu Mar 10 14:54:43 UTC 2011

On 10 March 2011 15:11, Clint Adams <clint at debian.org> wrote:
> On Thu, Mar 10, 2011 at 01:51:48PM +0100, Henry Story wrote:
>> This is the equivalent in PGP land of loosing control of your private key. What do you do then?
>
> I think it is more the equivalent of losing control over a uid.  In
> PGP-land I would merely revoke that uid from my key, and publish the
> revocation to the world.  In my hypothetical example there has been
> no loss or compromise of secret key material, so things could quickly
> be business as usual assuming my colleagues refresh their keyrings
> and discover my revocation and possibly a new uid.
>
> In the event that I also lost control of my private key, I would use
> a revocation certificate to revoke the entire key, and then I would
> re-establish my presence in the web of trust by getting certifications
> from people in a position to establish my identity through other means.
>
>> Since the value of a WebID is its relation in a network, you should have all your friends remove their links to that WebID, or even have them specify that the URIs is outdated as a relation for you.
>
> If the WebID is my identity, and someone else has it, how do I prove
> that it has been compromised?
>
>> But one can imagine building other layers to make things more secure. The problem is that every layer you add will make adoption more difficult and create other issues. In the mean time FaceBook and clowns don't have anything stopping their momentum.
>>
>> So one thing one could do is if you were to use a cryptokey/token card, would be to publish the relation to this key as a token cord one - ie, one that you can expect to keep for a long time. Your friends could then republish your relation to this key. Now if you loose your token card you'll have to go to all your friends to ask them to change that information in case someone relies on that. But servers that wish to be more secure could give you extra access rights if you use the token card key that all your friends say you have.
>>
>> We have stuck with the simplest part for the moment, because it is enough to get the Social Web distributed. It will certainly be interesting once we have a few better implementations to see how we can add trust by people signing each others documents. But this is not an easy thing to get right.
>
> I understand wanting to do things half-assed to harness momentum.
> What I am concerned about is a future point in time where we have
> to throw out the entire AAA infrastructure and replace it with
> something else.  If no one is working on these other complex layers,
> can we be assured that that will not be necessary?
>
> Or perhaps the cost of complete replacement is low and I am worrying
> for naught.

Why are you assuming you need to throw out the PGP tool chain in order
to use WebID?  Cant the best aspects two great solutions be leveraged
together, perhaps even using the same key pairs?

>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
>