Quoting Olivier Berger (2013-05-14 14:27:51) > Russ Allbery <r...@debian.org> writes: > > > Raphael Hertzog <hert...@debian.org> writes: > >> On Mon, 06 May 2013, Joerg Jaspert wrote: > > > >>> Nah, the webinterface just should end up like the DAM > >>> webinterface: You do whatever you need, then click a button - and > >>> voila, there is everything ready to copy/paste into a MUA. Send > >>> with sig, done. > > > >> Why? This is just a band-aid and not what I would call a web > >> interface. And except lazyness I don't see a good reason for that. > >> Web interfaces can be secure (and with an audit trail in case of > >> breach). After all we can manage our Debian passwords over a web > >> interface... > > > > That level of security isn't great, though. GPG keys are much more > > secure than that password. What we would want for equivalent > > security in a web interface is personal X.509 certificates. > > > > WebID [0] could be useful in this respect. It includes the use of SSL > certs for authentication, in addition to other benefits (see some > discussion in the thread at [1]).
I have also thought WebID would be a perfect match for things like this. > > I think it would be interesting to have that infrastructure in > > place, but someone would need to build it (probably with some > > mechanism to bootstrap GPG keys into X.509 certificates -- and be > > careful of expiration times and figure out a good way to deal with > > revocation). > > > > I'm not so sure how GPG integrates in the WebID landscape, but it > seems to me that WebID, based on Linked Data principles has some > similarity with Web of Trust concepts well known in the GPG system. Daniel has raised concerns about WebID: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/001030.html Quite frustrating, because I trust Daniels reasonings on crypto matters far better than my own, yet feel strongly that WebID is the right way to go for loosely coupled trust chains like this. I think the way forward is for someone understanding WebID deeply to explain it to Daniel and others working on Monkeysphere, to get it integrated there. As I understand it, technically the paperkey tool can be used to to flesh out the core crypto material from a GPG (sub!)key and wrapping that into an SSL key should be the way to go. But that alone is not enough: We also need trust in WebID from those in Debian deeply understanding crypto. Cc'ing Daniel, hoping he has time to shed some renewed light on this. - Jonas [interest]: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/000836.html [scepticism]: http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-August/002426.html -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130514140321.23166.32...@bastian.jones.dk
