Russ Allbery <r...@debian.org> writes: > So, again, it comes down to what problem we're trying to solve. If the > problem is just how do we authenticate Debian contributors to Debian > systems, then we're actually in the institutional case and we don't have > to trust anyone outside the project: we can deploy our own central > authentication system -- a CA, a Kerberos KDC, or any other authentication > system of choice -- and have all parties trust it, and that will be much > simpler and much easier to analyze than any of the distributed models. > Once we have our own CA, we could of course do secure WebID if we wanted > to using that CA (modulo the inherent dubiousness of substituting endpoint > authentication for user authentication), but it's not clear to me why we'd > bother as opposed to just issuing client X.509 certificates with the > metadata already included. >
By decoupling the Identity descriptors (meta-data in the WebID resources) from X509 certs (potentially generated localy and self-signed), you may have several identifiers for a single auth token, your TLS client cert. This is one of the advantages of WebID that may be worth mentioning. The fact that I'm in control of my identity (my WebID) is certainly key in a world of delegated login systems relying on social network operators. Debian (no more that FaceBook or my governement) doesn't have to tell who I am, if I can write my own (master) profile with vi. So Debian wouldn't need to issue certificates, if it trusts GPG signed WebIDs, whereas other communities / employers / freedomboxes will have other trust mechanisms, and you'll always use a single TLS cert to SSO everywhere you want to be recognized. Or maybe it's not that easy / beautiful ? I tend to think that basing on a standard like RDF for meta-data description also brings a lot of inherent interoperability compared of kerberos, SAML or likes... but I'm no expert in auth system interoperability. I agree that the distributed aspect seem to imply increased complexity of the trust verification... I'm not sure I completely understand what we're trying to solve, and we may only discover by trying / experimenting (serendipity), but I like the idea that the same RDF Turtle documents I've hand written and GPG signed could both be a basis for traceability of my contributions in Debian and other communities (one aspect of Linked Data use for FLOSS development artifacts traceability I'm researching) and for SSO to forges and various Web tools of those communities ([mentors|whois|alioth].debian.org, etc.)... I very much like such convergence : the profile *I* write (using a standard semantic language), complemented by one published by the Debian portal, complemented by others, and bound to a TLS cert *I* generated, is all I need for many things in this distributed (Web) world, provided I have established links with the GPG WoT... The GPG isn't Linked Data so it's not all pure Semantic Web, so it's not (yet) perfect, but we're getting closer ;-) I may just be dreaming too much of silver bullets ? ;) Hope this makes sense anyhow. Best regards, -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vc6gfdmb....@inf-8657.int-evry.fr
