Re: WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of Trust [research] from Reto Bachmann-Gmuer on 2011-02-21 (public-xg-webid@w3.org from February 2011)

From: Reto Bachmann-Gmuer <reto.bachmann@trialox.org>
Date: Mon, 21 Feb 2011 16:57:20 +0100
To: peter williams <home_pw@msn.com>
Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
Message-ID: <AANLkTi=y_U_rGhUgBJ8e6bzJoyfB+=hN2s2cjxv1W6i=@mail.gmail.com>

On Mon, Feb 21, 2011 at 4:29 PM, peter williams <home_pw@msn.com> wrote:

> It does need some more refinement.
>
> I see a PGP wot qualifying the public key present in a foaf card.
>
> If a resource server receives a self-signed cert during SSL client authn,
> obtains attributes from a (trustworthy) network source located using the
> subject's name, and determines that one attribute is the public key of the
> self-signed cert, then it may consult the PGP key ring.
>
> If the public key is on the pgp key ring, the key ring will compute a
> confidence metric for that key given the context of intended usage and the
> intended audience (based on some logic specific to the PGP community). If
> the metric passes a threshold on some scale, the resource server relies on
> the evidences from the various parties and proceeds to access control (as is
> traditional in IBAC systems for 30+ years).
>
> If you dont like PGP or its means of computing confidence metrics, one uses
> something equivalent for computing a metric, such as an OCSP responder
> located by a URI in the self-signed cert, or one uses cert chains and CRLDPs
> and delta CRLs.....  One can even use a foaf graph... or a facebook/twitter
> "following chain".
>

Interesring the idea of using pgp keyring for verifying webid-keys. I was
thinking more towards the foaf-graph approach, this might have the potential
of being more transparent and easy than PGP Wot and also potentially
allowing other means of key revocation. However unless you say the network
is trustworthy and define that how this happens is out of scope, the WebId
mechanism/ontology should have at least one of these features:
- support signed assertions about id-public key associations
- support verification of the server certificate in https

Cheers,
Reto




>
> -----Original Message-----
> From: public-xg-webid-request@w3.org [mailto:
> public-xg-webid-request@w3.org] On Behalf Of WebID Incubator Group Issue
> Tracker
> Sent: Monday, February 21, 2011 12:58 AM
> To: public-xg-webid@w3.org
> Subject: WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web
> of Trust [research]
>
>
> WebID-ISSUE-45 (pgp-comparison): Compare WebId with PGP/GnuPG Web of Trust
> [research]
>
> http://www.w3.org/2005/Incubator/webid/track/issues/45
>
> Raised by: Reto Bachmann-Gmür
> On product: research
>
> Compare what can be done and how easy it is using PGP-WOT vs. WebId
> technologies.
>
> WebId offers easier weak security mechanism (replacement of email
> authentication), can WebId also provide high degree of security with
> transitive trust features?
>
>
>
>
>
>

Received on Monday, 21 February 2011 15:57:53 UTC