Re: WebID-ISSUE-39: Simplify how public keys are expressed from Henry Story on 2011-02-17 (public-xg-webid@w3.org from February 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 17 Feb 2011 10:43:35 +0100
To: WebID Incubator Group WG <public-xg-webid@w3.org>
Cc: Peter Williams <home_pw@msn.com>
Message-Id: <B537E5A6-24F8-48D3-9F71-38BD8B122E96@bblfish.net>
On 16 Feb 2011, at 19:01, Peter Williams wrote:

> Certs are not encoded in asn1 value syntax, Henry. Asn1 is just a language of specification, of description of types and values. It c, vs the assembler generated from expanding the c macros into good patterns of machine instructions that then allow for engineering in the native instructions of the machine.

Yes. ASN.1 has encodings in a number of formats including XML, and apparently there are even methods to take XML schemes and turn them into ASN.1. Here of course everyone is thinking of the binary encodings. So more precisely I am  speaking up against mixing XML, JSON, or other notations with an ASN.1 binary encoding. That creates a burden for the parser of an encoding in one language to also know the encoding in another language, for no added benefit, other than complexity. And as we know complexity is the enemy of security.

> 
> If we can point to a .sig file in wot, we can point to a .CRT in graphs more generally (since . CRT and . Sig share almost identical unwebiness, and are related since both are digital signatures (of something - that we look to the graph for the answer)).

Pointing is a completely different matter. It is embedding I am against. The Web allows one to name resources in different formats. You don't embed a picture in the HTML, you point to it with a <img src=""> xml element. Why? Because it means that the picture can be cached (even over TLS! but in that case by the client or server) and different representations can be served.

> 
> The notion of "ugliness" is dealt with by reference to history (of the php . Sig) when ugliness was succesfully traded against utility, legacy and adoptibility. Never an easy tradeoff to make... But ones that seem to influence mass take-up in the crypto-political space.

In security simplicity is key. 

> We ate gnats biting the skins of several elephants, with billion dollar budgets) The only way to get them to move - being a gnat - is to induce a stampede (from fear, or towards food).

Yes you do that by making things simple enough that people with a bit of perl or php skills can join, not by making things unnecessarily complicated. The more of them join, the more they will all look like a new elephant. 

The linked data semweb piece is key because it allows distributed social networks. So it is a complexity we must accept. Putting three different formats inside one format brings only the illusory benefit for those who clearly see they don't have time to understand what is going on, and it ties people into ignorance, which is always a place where security holes hide.




> On Feb 16, 2011, at 9:29 AM, Henry Story <henry.story@bblfish.net> wrote:
> 
>> 
>> On 16 Feb 2011, at 17:52, Peter Williams wrote:
>> 
>>> I relate this to the wot ontology which showed how to relate to a pgp signature file stream (in some unusual syntax related to asn1).
>>> 
>>> Perhaps , very similarly, one can relate to a .CRT file with x509 signature (attached to a cert bearing a public key).
>> 
>> My conclusion from that debate was:
>> - don't mix syntaxes. ASN.1 Stands for Abstract Syntax Notation. Why should one mix HTML or XML or JSON in with ASN.1 ?
>> - stick to semantics. ASN.1 is syntax. our protocol is defined at the semantic level. We want to be syntax agnostic.
>> - It's not that flexible. What happens when we start wanting to use Elliptic curve cryptography. Even the people in the DNSsec world are trying to get away from ASN.1 formats!
>> 
>>  That does not mean that ASN.1 has no place. A document encoded in an ASN.1 format is just another document. That is what ISSUE-6: "using ASN.1 formats for WebID description" is for. 
>>  http://www.w3.org/2005/Incubator/webid/track/issues/6
>> 
>> 
>> Henry
>> 
>>> 
>>> 
>>> 
>>> On Feb 16, 2011, at 6:24 AM, WebID Incubator Group Issue Tracker <sysbot+tracker@w3.org> wrote:
>>> 
>>>> 
>>>> WebID-ISSUE-39: Simplify how public keys are expressed
>>>> 
>>>> http://www.w3.org/2005/Incubator/webid/track/issues/39
>>>> 
>>>> Raised by: Nathan Rixham
>>>> On product: 
>>>> 
>>>> Issue raised by Manu Sporny / Nathan at https://github.com/webid-community/webid-spec/issues#issue/12
>>>> 
>>>> Create a new mechanism to simply list public keys from a profile document to a certificate. More information can be found here:
>>>> 
>>>> http://lists.foaf-project.org/pipermail/foaf-protocols/2010-September/003603.html
>>>> 
>>>> and here:
>>>> 
>>>> http://lists.foaf-project.org/pipermail/foaf-protocols/2010-September/003705.html
>>>> 
>>>> and here:
>>>> 
>>>> http://lists.foaf-project.org/pipermail/foaf-protocols/2010-October/003837.html
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
>> 
>> 

Social Web Architect
http://bblfish.net/
Received on Thursday, 17 February 2011 09:44:12 UTC