[Freedombox-discuss] Friendika

[Henry Story]

On 14 Jul 2011, at 07:01, Sébastien Lerique wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I had time to spare and watched your talk about "Philosophy and the
> Social Web". Very interesting!

The web is this most amazing engineering project which seems to spring
right out of work in 20th century philosophy and logic. :-)

More below...

> 
> I have a number of questions about WebID. I hope there aren't too many;
> they follow below.
> 
>> The server certificates work much better when relying on a CA of 
>> course.  Without CA signed certificates the client or the server 
>> would not know if they  have really reached the server. So there is 
>> an attack that is possible there. If that is not an issue that could 
>> be bypassed, especially in server to server configuration. Of course 
>> in that case each side should understand that the level of security 
>> is lower. But not lower than when we connect to http://google.com/ . 
>> (On the client side connecting to a server that is not CA enabled 
>> leads to ugly UI issues though.)
>> 
>> Now I think it would be great if everything were behind https. Then 
>> when google gave us an answer we would not be in danger of receiving 
>> a man in the middle corrupted answer, sending us to some other fake 
>> page. Security itself is social. If Google is not secure than most 
>> things we do are not secure. If other web sites are not secure then 
>> google is not secure - cause Google's crawler's could be 
>> man-in-the-middled.
>> 
>> But we can't get everything behind https if we _need_ to rely on
>> CAs, as they are a bottleneck. DNS is not perfect but already a lot 
>> better. So people who want to help increase security there, should 
>> look at the IETF DANE work.
>> 
>> http://datatracker.ietf.org/wg/dane/charter/
> 
> In the case of an authentication using WebID: John connects to a
> service S, which during the authentication process connects to John's
> server. Is DNSSec the solution being considered to make sure there is
> no MITM when S connects to John's server?

DNSSec is most importantly a solution to removing the DNS poisoning problems that currently exist. See the talks by Dan Kaminsky to get an idea of the size of the problem.  So currently even if Google gives you the right Domain Name you are at risk of being mislead to the wrong ip address through a pirated DNS. I think it is really worth emphasising the extremely problematic state of security on the internet. It is so bad, that if something like DNSsec does not go through you might as well say goodbye to commerce on the internet.

With DNSsec on the other hand, deploying self signed certificates for servers becomes really easy. The DANE working group is of course going to take forever to get that through, but not for technical reasons.

So TLS is what stops man in the middle attacks. The problem is the trust in the certificate coming from the server. Since we are mostly already trusting DNS, one might as well have DNS not just tell you the ip address of the server but also tell you what the certificate of the server is going to be (or a signature of it, or have the certificate be signed by DNS,...) 


> 
> About the way "identity is social":
> 
> How do you see WebID being used at wide in the social web, in the
> future: I was wondering about how federated social networks currently
> use, or interface with, WebID. At first it hadn't struck me as a
> particularly appropriate mechanism on which to build social
> networking, but in fact the http://myprofile-project.org/ manifesto
> seems to be going in that direction (at the same time taking into
> consideration the current flaws for social networking).

Well any current social network can very easily give every one of their users a WebID. It just requires adding a keygen enabled form to allow users to create a number of certificates for each of their browsers,  and then to add one of the formats with well known semantics to  the home page that describes the person and their keys. This can be done in RDF/XML,
rdfa or other formats as specified on http://webid.info/spec/ - which is work in progress. 

The to allow users to login with WebID you need to put up an https endpoint - or rely on a service that does - and then have it follow the steps specified ( in a somewhat ugly way in the spec, and a lot more simply in the http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_22/webid.html - if there are people who are good at spec writing we'd be happy to have your help to improve the language)


> 
> Next, what would be the possible ways of having multiple identities as
> well as circles/groups (for friends, work, etc.): having multiple
> WebIDs, or developing access control for clients accessing a WebID? (or
> other?) I understand MyProfile is working on that sort of thing, among
> others (according to their manifesto again).

yep, you can have as many identities as you want. You could have your work identity,
your university webid, your FreedomBox id, your party id, and your throwaway one.
You could if you wanted to link them together with owl:sameAs if you wanted.

<http://fb.joe.name/profile/> owl:sameAs <http://fbi.gov/eid/232sh234> .

You can have the link go in both directions, ie: your freedbom box could point to
your fbi profile, and the fbi profile could point to your freedom box profile. That would
be a way to confirm the relationship. 

> Finally, how do you see possibility of pseudonymous identities with
> WebID? Meaning an identity that can be controlled by a single person
> (and only by that person, or whoever else that person mandates),
> consistently through time, but which is impossible to link to that
> physical person.

Extreemly difficult to do this well. It has been shown that just with very
little information you can identify most people down to the house they live
in: things like age, sex, and something else is enough. You'll find that even
if you built such a perfect system, marketeers will just ask users for their 
e-mail address, and most will give it out.

I think more important than this is to stop everyone on earth being able
to read your e-mail, know your and all the worlds social network, report
on every one of your banking transactions, etc... Focusing on perfection
will only allow the current state of deterioriation to get worse and worse.

If you wanted one could develop something like httpk as I mentioned before
and combine that somehow with TOR perhaps. Something to be looked into.
 

> My question refers to the authentication process, and
> not possible linkage due to what Tor addresses, like ip, browser
> fingerprinting and the like: would it be possible to have a
> pseudonymous WebID, impossible to link to any physical person through
> information gathered during authentication (which means that kind of
> WebID can't reside on a personal server).

yes, just like it is possible to get throwawy e-mail addresses. Services
could be built to provide that. You'd have to trust them of course not
to pretend to be you, just as you have to trust throwaway e-mail providers
not to spam people with the throwaway e-mail address they gave you.
You could think of webid.fcns.eu as  being such a service. 


> Or is it just not the right approach for pseudonymity?

No I think one can do quite a lot with such pseudonymity. Trust is built
out of the relations others have with you. These relations can themselves
be protected btw. So on your FBox you can be pretty much pseudonymous, in that
you need tell no-one other than your best friends what your relationships to
others are. All this can be done using just plain Web Access Control techniques.

The best thing is to build something small, get it working, give us feedback on
the WebID mailing list, and then we can attack the next fun problem.

Henry


> 
> Best regards,
> - --
> Sébastien Lerique
> seblerique at wanadoo.fr | @wehlutyk on twitter/identi.ca
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> 
> iEYEARECAAYFAk4eeB0ACgkQgkn/UaLvmGdAkQCdHzilAik3b6FYBurOuajYiwn/
> GWoAnA5U0mVaI0HoFDRQUb0esxz5ka0b
> =IIXd
> -----END PGP SIGNATURE-----

Social Web Architect
http://bblfish.net/