[Freedombox-discuss] Debian as though cryptographic authentication mattered Questions

Melvin Carvalho melvincarvalho at gmail.com
Fri Aug 5 15:58:47 UTC 2011

On 5 August 2011 15:41, John Walsh <fiftyfour at waldevin.com> wrote:
> Hi Everybody,
> First of all a hat tip to dkg for an excellent presentation. You made crypto
> so interesting to me, a user, that I jumped on to Wikipedia to find out
> more. Needless to say I have a few questions about crypto, but hopefully in
> asking these questions you will see the stumbling blocks in the UI for a
> user. I have also come up with my own UI proposal which is probably useless,
> but hopefully in doing so it will generate some proper UI solutions.
> I have read about OpenPGP, Web of Trust, Key-signing parties including
> how-to, Monkeysphere and WebID. There were two Ahh moments for me in the
> presentation. Keys are needed to encrypt everything (doh!) so keys cannot be
> avoided and much be built-in to the FBX UI. Secondly, if you add a new
> service (email server) you can generate a new subkey which is used as a
> password for the email server - cool I don't have to worry about passwords -
> leaving you with one "master key" for everything. Here are my questions.
> 1) Do certs/keys have to contain personable identifiable information? Could
> the certs contain pseudonyms to protect people's privacy which is a goal of
> the FBX?

I think ideally identity should have public and private elements under
the users control.

A cert is normally just a key with with some name/value pairs
associated, so you have a degree of flexibility there.

NSTIC have some interesting ideas here http://www.nist.gov/nstic/

These are definitely issues we are looking to solve.  Having networks
up and running will help with implementations.

> 2) The WebID solution is to generate an "unsigned" cert which points back to
> your public key on your "username web page", i.e. your username page
> is acting like a key server. So, if I have the private key (in my cert) for
> the public key held on a username page, then I control the username on that
> web page, thus confirming I am the owner of that identity/key/cert. Why are
> keys held on centralised public key servers when the WebID model seems more
> secure?

Not sure where key servers are going to fit into the equation, but
that's an interesting question.

WebID is self hosted so you just need to put your public key on your
homepage and set a rel attribute and you're pretty much done.

> 3) Personally, I prefer the Monkeysphere/OpenPGP Web Of Trust model to the
> browser controlled Certificate Authority (CA is required for servers)
> model. I like that you can give your key to somebody to sign/confirm your
> identity although I question the value of getting "Bob from the key signing
> party" or your friends to sign your key. Having your friends sign your keys
> raise privacy concerns even if they are allowed to use pseudonyms. I would
> prefer to have my key signed by the traditional real-world identity
> providers i.e. government agencies which would remove any privacy concerns
> about your friends using the WOT model and offer a lot more credibility than
> "Fred's CA". Then I thought why aren't governments filling this traditional
> role and this made me think that although it's required in the real world
> maybe there is no *current* need for it in the online world. So, do we
> really need a WOT/ CA model for clients? The paranoid side of me wonders can
> you track someone if you have signed their key like openid providers can
> track you?

I think "social verification" will work well.  I'm all for key signing
parties, but maybe there are also times when you cant meet someone in
person.  There's much more that can be done with a web of trust once a
few boxes spring up.

Interestingly, I was on the call when David Recordon of Facebook was
talking to the W3C he said that social verification was something they
wanted to look at.

> So, obviously you can see my train of thought. When you create a username
> you automatically generate a key and on the
> http://username.mydomain.tld/about_me page you hide/store your public key.
> Following the WebID model, the link back to your username page always
> confirms you as the owner of the identity. Of course there is no trust built
> into this model because the key is only "self-signed" and not signed by a
> third party, but I would argue that it's not currently required in the
> online world otherwise there would have to be a WOT attached to your email
> address. If/when it's required in the future, I think keys should be signed
> by government agencies as long as they can't track you through signing your
> key!! My proposed solution is based on the WebID model and does not address
> the whole key management lifecycle and I am not sure if WebID addresses the
> whole key management lifecycle.
> I look forward to your answers and all opinions are gratefully received.

My solution to this is to use the same RSA key for both my WebID and
my OpenPGP key.

It's often seen as an either/or choice by people not familiar with one
or the other, but I think both approaches have something to offer.

> -- fiftyfour
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

More information about the Freedombox-discuss mailing list