[Freedombox-discuss] Debian as though cryptographic authentication mattered Questions

Henry Story henry.story at bblfish.net
Tue Aug 9 08:29:52 UTC 2011 

On 9 Aug 2011, at 09:16, John Walsh wrote:

> 
> Hi Melvin,
> 
>>>> In general it would be fair to say WebiD has a dependency  on DNS but 
>>>> so does email email.  In both systems there are cases  where you can 
>>>> work without DNS.
> 
>> You can self sign web server certs.  This is what I do.
>> 
> Will WebID client certs work with a web server that has a self sign certs,
> i.e. no warning errors? 

If by clients you mean browsers then current browsers of course will show error messages. DNSSEC and IETF Dane (or something along those lines such as Dan Kaminsky's text proposal) should allow self signed server certs to be deployed that should allow browser not to show such error messages. One should help them get that deployed. Btw, there are free CAs btw which can help in the transition period. 

If you mean do all WebId clients need to take this into account, then the answer is of course no. First a client connecting to a server with a self-signed cert could continue interaction, having set a flag that he may be snooped on (i.e., not to talk about sensitive stuff - bank passwords and such). But the certificate could itself have a WebID in the Issuer Alternative Name, and this could be tied into the web of trust, exactly like subjects can be. We did not explore this too much because playing on too many levels gets to be confusing, and that requires a longer term vision. But since people here really want the long term picture, then look up the recent e-mail I wrote up on how to build a web of trust on the issuer side:

  http://lists.w3.org/Archives/Public/public-xg-webid/2011Aug/0017.html

Now of course there are going to be cries and shouts that with DANE we'll be all centrally controlled by some governments. For people who are worried about that I wrote up a proposal on how to avoid DNS with WebID

   http://lists.w3.org/Archives/Public/public-xg-webid/2011Mar/0068.html

The reason why we use these deficient systems currently is not that they are required by the architecture, but because they are a first step in the right direction and allow one to get mass adoption with the system as it is now, yet work to better systems over time.


Anyway, I'd be happy to explore this in more detail. Perhaps some of you will be in Berlin this week at the Chaos Communication Camp.
http://events.ccc.de/2011/

Henry

> 
> -- fiftyfour
> 
> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss

Social Web Architect
http://bblfish.net/

More information about the Freedombox-discuss mailing list