On 05/18/2013 12:08 PM, Olivier Berger wrote: > We do verify such trust chains every day for db.debian.org AFAIU (and of > course for uploads)... so provided a GPG public key is in our keyrings, > it can be used to "certify" a WebID document, by verifying that it has > been signed by the correct GPG key, right ? > > So, if I'm not trying to think too far of potential abuses, in pratical > terms, my understanding is that we may use WebID + TLS for Debian, > provided that we only trust FOAF/WebID documents signed with GPG by > Debian participants which would have been registered in a DB of ours as > allowing the use of a (remote) WebID, such registration being made with > the same GPG key's signature (for instance using the mail gateway of > db.debian.org). > > Then such WebID could be trusted by Debian to provide meta-data about > the Debian project member, and could be used to authenticate to Debian > servers in a password-less way, using their associated TLS cert.
You've described several steps of cryptographic check that could be done
here. At least one of the critical steps seems to rely on OpenPGP data
signatures (as opposed to OpenPGP identity certifications), if i'm
understanding your proposal correctly. Other steps also rely on OpenPGP
identity certifications (in contrast to OpenPGP data signatures).
It's not clear to me how i might revoke an OpenPGP data signature (i.e.
a signature over a document) or what a data signature with an expiration
date would mean; but OpenPGP expiration and revocation semantics are
well-understood and already implemented when looking at OpenPGP identity
certifications.
If the only thing that the cryptographic signature is used for is the
assertion of identity information coupled with a claim of public key
material, then just using a standard OpenPGP identity certification
seems like the simplest thing -- you already need to be able to rely on
such a claim in the first place for potential signing-capable subkeys
(and their subkey-binding certifications).
I understand how debian's web services might make use of identity
certification this way; I haven't yet heard an explanation for what
advantages debian would get as an organization for any of the
linked-data sort of material, and one isn't springing to mind for me
(though i might just be insufficiently imaginative). I share the
hesitance that both Russ and Jonas have expressed about encouraging
public participation in the publication of rich social graphs, so i tend
to lean toward the idea of just publishing identity certifications (if
that's all debian needs) and leaving out the other features until it
becomes clear that we have a real use case for them.
--dkg
signature.asc
Description: OpenPGP digital signature
