Hi Daniel. I've been slowly trying to play with OpenPGP and WebID, in the context of its use in the Debian project, and wanted to investigate the possible solutions to bind an OpenPGP key to a WebID.
Maybe your expertise on OpenPGP specs can help here. Basically, in the same way as a X590 cert points with the subjectAltName to a URI of a WebID document, I'd like my pubkey to point to such a URI. I have checked in RFC 4880, and there seems to have been plans for possible User attributes, but so far there's only such a use for photos as JPEG. I've then tried to embed a RDF triple pointing to the WebID URI inside a QR code image, that I can then add as a (preferaby not primary) photo ID in my pubkey (see a description of my experiment and some comments at [0]). As a back link, my WebID then points back to the pubkey's fingerprint. See an example at [1] for one of my own key. I think this may be a way to allow some use of WebID, relying on the Debian OpenPGP web of trust, and not necessarily on client certs. Of course, a WebID could then be bound to both an OpenPGP key and a X509 cert. The use of a QR code JPEG photo id is a bit of a hack, so do you have any ide of whether it could be possible to support other types of user attributes suck as a WebID URI, or some RDF fragment ? Btw, I've just created a ML (in CC:) on alioth to serve for future discussions about WebID in Debian, as a followup of the WebID BoF that occurred at DebConf (gently moderated by Jonas, as I couldn't make it to Le Camps). Feel free to join ;) Best regards, [0] http://lists.w3.org/Archives/Public/public-webid/2013Aug/0087.html [1] http://www-public.telecom-sudparis.eu/~berger_o/info/pubkey/pubkey.txt Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > On 05/14/2013 10:03 AM, Jonas Smedegaard wrote: > >> I have also thought WebID would be a perfect match for things like this. > [...] > > And as a project, we already have a community-reinforced authentication > infrastructure (the OpenPGP certification network that all contributors > have to be connected to, as guided by the excellent debian-keyring > maintainers) that we could tie that key verification to without exposing > ourselves to greater risk from the diginotars of the world. > > if i can help in implementing a debian-keyring-derived verification of > Web-ID-discovered keys for client-side TLS authentication, i'd be happy > to try to pitch in in my copious (why is there no sarcasm emoticon yet?) > free time. > -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France)
pgpdvzaAz8Cgn.pgp
Description: PGP signature
