Hi again. Just in case it helps a bit more, let me forward you this message from Andrei Sambra, a Debian user and WebID working group member (who's also the developer of MyProfile, a "killer demo" service of WebID at [1] - project/code at [0]).
Andrei read the thread an wanted to provide some feedback but isn't subscribed to debian-devel@. Hope this helps. [0] http://myprofile-project.org/ [1] https://my-profile.eu/ Russ Allbery <r...@debian.org> writes: > What am I missing? > > I suppose one thing that I could be missing is that, with a certificate, > you have no privacy controls over what metadata you release. Whatever you > put in the certificate is visible to anyone who looks at the certificate. > (Well, you could encrypt it and then distribute a separate key, but that's > getting into pointless complexity.) Whereas in theory your WebID endpoint > could release different metadata depending on who asks. But since WebID > doesn't authenticate the entity asking for metadata, I'm not sure that's > really what's going on. > ---- Forwarded ---- Andrei Sambra <and...@fcns.eu> (12 mins. ago) (inbox) Subject: WebID thread on Debian To: Olivier Berger <olivier.ber...@it-sudparis.eu> Date: Fri, 17 May 2013 13:06:40 +0200 Hi! My name is Andrei Sambra and I am one of the WebID spec authors. I would like to answer to some of the questions/worries that have been mentioned in this thread, please allow me to explain WebID-TLS once more. Among the useful things that WebID-TLS attempts to provide, the most important one is that it decouples identity from authentication. WebID is meant to allow users to bring with them a lot of useful attributes regardless of the authentication method used during login. By doing so, it allows services/applications to take advantage of a lot of useful user data, in a completely decentralized environment. This is how we usually avoid the "silo" paradigm - i.e. I don't want to have yet another account with Debian in order to be able to maintain my packages; I just want to login with my own identity, provided by my own identity platform. At this point, the proposed authentication method is based on client certificates, which also takes advantage of TLS. I sympathise with you and I understand why everyone hates client certificates given the current state of CA trust, but even though WebID-TLS uses certificates, it doesn't use them according to the standard CA chain trust model. In WebID-TLS, certificates are _only_ used to verify cryptographic claims, i.e. that the user trying to authenticate hold the private key corresponding to a public key which he/she already published. Being a distributed authentication protocol, it does not rely on verifying the trust chain of CA signatures (that would be pointless as you will soon discover). Instead, WebID-TLS uses the WOT to build trust, in pretty much the same way that GPG does it, only that in WebID we link to other people instead of signing the keys. This has several advantages, among the most important one being that keys (certificates) need not be persistent. One creates and discards certificates as often as they need to, for whatever reasons. Instead of putting the accent on the private key (as in the case of GPG), WebID-TLS puts the accent on the user's profile document which contains the user's WOT. For GPG, loosing the private key can have disastrous implications, as it takes time and effort (key signing parties) to rebuild the WOT. This is no longer the case for WebID-TLS, since a certificate can be immediately invalidated by removing its corresponding public key from the profile document, while at the same time not affecting the WOT. I hope I was able to clarify some things with this email. Please try to give WebID another chance and go over the specs one more time. Here are the links in case you've lost them. WebID - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/identity-respec.html WebID-TLS - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html Best, Andrei Sambra -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87mwrt97dz....@inf-8657.int-evry.fr
