On 05/14/2013 10:03 AM, Jonas Smedegaard wrote: > I have also thought WebID would be a perfect match for things like this. [...] > Daniel has raised concerns about WebID: > http://lists.alioth.debian.org/pipermail/freedombox-discuss/2011-March/001030.html > > Quite frustrating, because I trust Daniels reasonings on crypto matters > far better than my own, yet feel strongly that WebID is the right way to > go for loosely coupled trust chains like this. > > I think the way forward is for someone understanding WebID deeply to > explain it to Daniel and others working on Monkeysphere, to get it > integrated there. > > As I understand it, technically the paperkey tool can be used to to > flesh out the core crypto material from a GPG (sub!)key and wrapping > that into an SSL key should be the way to go. But that alone is not > enough: We also need trust in WebID from those in Debian deeply > understanding crypto. > > Cc'ing Daniel, hoping he has time to shed some renewed light on this.
Web ID as a key verification mechanism has problems with centralized
authority. Passwords have their own (distinct) set of serious problems,
as far as i can tell.
However, if we use Web ID as a key discovery mechanism and use other
(non-centralized, non-third-party) mechanisms to validate the keys found
therein, that seems like one decent way forward.
I'd be happy to see debian lead the way on using passwordless client
authentication on the web; other (non-debian) groups might want to use
similar infrastructure, and may even be willing to accept centralized,
third-party points of control. They might still be better off than the
current FAIL of trying to avoid authentication replay attacks by asking
users politely to not reuse passwords across multiple authentication
domains.
I happen to think that debian is sufficiently capable that our internal
infrastructure should not be able to be MITM'ed by, say, the next
Diginotar (and it should not be DoS'ed by such a disaster either, the
way .nl was). If adopting WebID puts us in that boat, that would be a
sad thing. But i'm not saying anything that our DSA doesn't already
know, and they're better sysadmins than that.
And as a project, we already have a community-reinforced authentication
infrastructure (the OpenPGP certification network that all contributors
have to be connected to, as guided by the excellent debian-keyring
maintainers) that we could tie that key verification to without exposing
ourselves to greater risk from the diginotars of the world.
if i can help in implementing a debian-keyring-derived verification of
Web-ID-discovered keys for client-side TLS authentication, i'd be happy
to try to pitch in in my copious (why is there no sarcasm emoticon yet?)
free time.
Regards,
--dkg
PS please cc me on followup.
signature.asc
Description: OpenPGP digital signature
