[Freedombox-discuss] Debian as though cryptographic authentication mattered Questions

[John Walsh]

Hi Everybody,
First of all a hat tip to dkg for an excellent presentation. You made crypto
so interesting to me, a user, that I jumped on to Wikipedia to find out
more. Needless to say I have a few questions about crypto, but hopefully in
asking these questions you will see the stumbling blocks in the UI for a
user. I have also come up with my own UI proposal which is probably useless,
but hopefully in doing so it will generate some proper UI solutions.
 
I have read about OpenPGP, Web of Trust, Key-signing parties including
how-to, Monkeysphere and WebID. There were two Ahh moments for me in the
presentation. Keys are needed to encrypt everything (doh!) so keys cannot be
avoided and much be built-in to the FBX UI. Secondly, if you add a new
service (email server) you can generate a new subkey which is used as a
password for the email server - cool I don't have to worry about passwords -
leaving you with one "master key" for everything. Here are my questions.
 
1) Do certs/keys have to contain personable identifiable information? Could
the certs contain pseudonyms to protect people's privacy which is a goal of
the FBX?
 
2) The WebID solution is to generate an "unsigned" cert which points back to
your public key on your "username web page", i.e. your username page is
acting like a key server. So, if I have the private key (in my cert) for the
public key held on a username page, then I control the username on that web
page, thus confirming I am the owner of that identity/key/cert. Why are keys
held on centralised public key servers when the WebID model seems more
secure?
 
3) Personally, I prefer the Monkeysphere/OpenPGP Web Of Trust model to the
browser controlled Certificate Authority (CA is required for servers) model.
I like that you can give your key to somebody to sign/confirm your identity
although I question the value of getting "Bob from the key signing party" or
your friends to sign your key. Having your friends sign your keys raise
privacy concerns even if they are allowed to use pseudonyms. I would prefer
to have my key signed by the traditional real-world identity providers i.e.
government agencies which would remove any privacy concerns about your
friends using the WOT model and offer a lot more credibility than "Fred's
CA". Then I thought why aren't governments filling this traditional role and
this made me think that although it's required in the real world maybe there
is no *current* need for it in the online world. So, do we really need a
WOT/ CA model for clients? The paranoid side of me wonders can you track
someone if you have signed their key like openid providers can track you?
 
So, obviously you can see my train of thought. When you create a username
you automatically generate a key and on the
http://username.mydomain.tld/about_me page you hide/store your public key.
Following the WebID model, the link back to your username page always
confirms you as the owner of the identity. Of course there is no trust built
into this model because the key is only "self-signed" and not signed by a
third party, but I would argue that it's not currently required in the
online world otherwise there would have to be a WOT attached to your email
address. If/when it's required in the future, I think keys should be signed
by government agencies as long as they can't track you through signing your
key!! My proposed solution is based on the WebID model and does not address
the whole key management lifecycle and I am not sure if WebID addresses the
whole key management lifecycle. 
 
I look forward to your answers and all opinions are gratefully received.
 
-- fiftyfour
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110805/aa5ab2b8/attachment.html>