[Freedombox-discuss] FOAF developers taking FreedomBox into their equation

Jonas Smedegaard dr at jones.dk
Sat Mar 12 23:33:39 UTC 2011


On Sat, Mar 12, 2011 at 04:20:59PM -0500, Boaz wrote:

>WebID is [not!] an authentication mechanism.

[proposal for new user-friendly P2P authentication mechanism]

>What does everyone think about all this?


Thank you very much. I think (and hope) that I got it now.

That _identifiaction_ mechanisms should not be confused with 
_authentication_ mechanisms.

I have seen _many_ places this emphasizing (e.g. explanations of OpenID, 
that WebID page you also referred to, and also in a recent mail here on 
the list from Daniel Kahn).  And I thought I was aware of it (even felt 
slightly annoyed when Daniel raised that point).  But still I needed to 
have it repeated once more.


But reading half-way through your email, I came up with a different 
approach - which I dare present as a complementary one: Existing WoT!

When you installed that Windows or Mac system and started using it, you 
trusted it to serve you - which includes trusting it to serve you in 
establishing a discrete conversation via the untrusted internet.  You 
did not care if they invented their security mechanisms in-house or 
bought it from, say, Verisign.  That's irrelevant as a user!

Now you lost trust in that old system and bought a FreedomBox that you 
use as proxy or filter or whatever.  Again you do not care how these 
geeks implements security mechanisms.

Point is, you already put a lot of trust in the _system_ and those 
_selling_ it to you.  Whether you are told "when the light is green, 
then the box can be trusted" or "if you say banana bonanza into the 
phone and the other end reads banana bonanza" is same shit: You trust 
_us_.

I propose that we by default use PGP.  Not that we by default teach our 
users to do keysigning (that's cool too, but a separate task), but that 
we offer them to trust not only our box and its software, but also our 
actual pre-established Web of Trust.

So let's offer our users, as a bootstrapping method of trust "fuel", our 
existing PGP Web of Trust.

Let's ship FreedomBox with Monkeysphere preloaded with the content of 
the Debian package "debian-keyring" - i.e. the WoT of Debian already 
trusted for the code.

Sure let it be optional - our users can choose to switch to a different 
WoT of their liking.  Just as today users can choose to remove Verisign 
from their web browser trust mechanism.  With the difference that it is 
a large _decentral_ trust mechanism used by default rather than a large 
_central_ one.

Then we can try invent a) ZRTP trust-noone-but-yourself-not-even-Debian,
PGP make-your-own-WoT, FOAF put-trust-in-friendships etc., independently 
or - if possible - parallel trust mechanisms all governing concurrently.

Point is, all of them require user interface design if nothing else, 
which makes them tough to implement (read: takes time).  Hooking 
existing Wot (Debian Developers) together using existing glue 
(Monkeysphere) should take less time, I assume.


How does that sound?


  - Jonas

-- 
  * Jonas Smedegaard - idealist & Internet-arkitekt
  * Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110313/1c75ee08/attachment.pgp>


More information about the Freedombox-discuss mailing list