Jonas Smedegaard <d...@jones.dk> writes: > Quoting Olivier Berger (2013-05-14 14:27:51)
>> I'm not so sure how GPG integrates in the WebID landscape, but it seems >> to me that WebID, based on Linked Data principles has some similarity >> with Web of Trust concepts well known in the GPG system. > Daniel has raised concerns about WebID: > http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/001030.html > Quite frustrating, because I trust Daniels reasonings on crypto matters > far better than my own, yet feel strongly that WebID is the right way to > go for loosely coupled trust chains like this. I'd never heard of WebID before this thread, but looking briefly at the spec, I share Daniel's concerns. I don't see how this eliminates reliance on the normal CAs. You still have to do certificate validation to be able to trust the link between URL and keypair, and the WebID protocol provides no way to do that certificate validation other than the normal CA process (and doesn't provide any alternative CA). If you're going to trust the normal CAs anyway, all that WebID is really giving you is the ability to add additional metadata to the user's public certificate by publishing it at a linked URL; you're still trusting the public CAs implicitly to verify that user's certificate. Furthermore, you're not even using a direct CA signature, but rather are using the server certificate of the web server the user gives you in the URL to validate that their *client* certificate is owned by them. I haven't fully thought through the implications of that, but at first glance it strikes me as a repurposing of authentication data in a way that isn't theoretically sound. WebID is trying to solve both the authentication problem and the distributed identity management problem. Do we actually need the identity management functionality? If not, then the FOAF data isn't needed, and an X.509 certificate from a Debian CA that issues certificates based on GnuPG-signed requests would be sufficient for us to bootstrap our own X.509 infrastructure without all the additional complexity of WebID. (With the caveat, as mentioned previously, that we'd have to do some thinking about expiration times and revocation.) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87k3n14i5f....@windlord.stanford.edu
