Jonas Smedegaard <d...@jones.dk> writes: > This seems similar as WebID: In principle ties to HTTPS - and therefore > the CA cartel - is only optional (other URIs than http ones suffice). > In reality alternatives to HTTP(S) is work in progress.
Changing the protocol doesn't help you get away from the CA dependency. The reason why there's a CA dependency is not because it happens to use the HTTPS protocol. It's because you have to authenticate the provider of identity data (the other end of the URI, whatever it may be) or you're vulnerable to having the attacker intercept your query and supply whatever data they want. There's no way around that. To get away from the CA model, WebID is going to have to introduce another authentication system to verify the other end of the URI, not just another protocol. And there aren't a lot of protocols out there for doing that sort of distributed, federated authentication other than X.509 and the CA model. You could, in theory, switch to DNSSEC, but now you're just replacing one CA cartel with another. In theory, you could use the PGP web of trust instead, but bear in mind that the security model of WebID is based on validating the URI endpoint rather than the user. URI end points generally don't have PGP keys, nor are they generally part of the PGP web of trust, so there's a bit of a bootstrapping problem there. To a large extent, the practical effect of WebID is that it's a way of substituting one authentication system for another. The problem that it's trying to solve is that user key distribution and key verification is hard, so it allows the user to bind their key to a URI and the server to verify that the URI and the key are bound by retrieving the URI. In essence, this moves the authentication problem from user authentication to URI endpoint authentication, under the theory that we already know how to validate URI endpoints and that such validation is an easier problem. If you don't agree with the assertion that we already know how to validate URI endpoints (which is the source of the objections to trusting the CA cartel), WebID looks to me like it basically falls apart from a security standpoint. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r4h7kk2r....@windlord.stanford.edu
