[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
Melvin Carvalho
melvincarvalho at gmail.com
Thu Mar 10 12:06:36 UTC 2011
On 10 March 2011 12:28, Jonas Smedegaard <dr at jones.dk> wrote:
> On Wed, Mar 09, 2011 at 11:00:38PM -0500, Daniel Kahn Gillmor wrote:
>>
>> On 03/09/2011 06:11 PM, Melvin Carvalho wrote:
>>>
>>> Traditionally we've always 'self signed' our WebID certificates. So
>>> there's no CA that needs to be in the loop. In fact, I dont know of any
>>> instance WebID has *ever* been used with a CA, but I suppose it is possible
>>> too. :)
>>
>> For plain http:// URL WebIDs, there is no CA in the loop; but plain
>> http:// WebIDs are vulnerable to a pretty trivial attack by someone with
>> reasonable control of the network -- all they need to do is forge DNS or
>> intercept traffic to convince the server doing a backhaul lookup that the
>> client's presented WebID cert is legit. This level of vulnerability to an
>> attacker in control of the network doesn't seem to meet the standards i'd
>> hope for a robust, freedom-preserving scheme.
>>
>> So that leaves https:// WebIDs, which in turn need some sort of
>> certificate validation. I'm pretty sure that any WebID that points to an
>> https:// URL relies on the CA cartel to validate the backhaul connection, in
>> the current implementations, no? Either the certificate validation is not
>> happening (in which case the scheme is vulnerable to an attacker in control
>> of the network again), or the certificate validation relies on some set of
>> CAs.
>>
>> I'm happy that WebID is trying to sidestep the CA cartel for end-user
>> certificates. But it seems to rely on either (a) centralized,
>> cryptographically-guaranteed DNS (DNSSEC) or (b) the CA cartel to validate
>> the server-side certificates (or both). Both of these options leave a
>> handful of fairly unaccountable middlemen with the ability to perform denial
>> of service attacks on end user identities and even impersonations.
>>
>> I'd love to hear suggestions for improving the scheme to be resistant to
>> these middlemen, but i don't think i've heard any of them yet.
>
> I believe the key to this is the FOAF part: I can, in my FOAF file, beyond
> declaring what friends I have and what WebID public key is linked to it,
> also declare what CAs I trust (which might be only my very own FreedomBox).
I think this is right.
"I express my network in a FOAF file, and that is a start of the
revolution." -- Tim Berners-Lee
Reading some mail lists comments on social networks by Tim a few years
back was what got interested in FOAF.
FOAF was around before most popular social networks, and provides a
user centric way to make statements (e.g. in HTML5). Currently
there's around 100 million FOAFs out there on various networks, inc.
status.net, hi5, google and self hosted. Here's a little example of a
visualizer:
http://foaf-visualizer.org/?uri=http://danbri.org/foaf.rdf
So you can say your name your birthday, your friends (anything you
want)., and control which statements you write. WebID adds a first
layer of authentication, on top of that so we can start making the web
read/write in a vendor neutral way. We can go further with a web of
trust compatible with PGP, and signed assertions and fingerprints, and
access control (Tim's group at MIT is currently active in this area),
but that's in early stages, right now.
Important to remember that while on the one hand The Web is the
dominant eco system on the Internet, much of it is still in early
stages, and up for grabs. Keeping The Web free, goes hand in hand
with keeping our hardware free.
>
> I imagine FreedomBoxes can then grow a web of trust, not only of people but
> also of CAs.
>
> If some of my close friends trust e.g. CAcert.org then I should also trust
> it - or alternatively I should lower the trust in those friends.
> FreedomBox can help with both those logics, I believe.
>
>
> - Jonas
>
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
>
> [x] quote me freely [ ] ask before reusing [ ] keep private
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAEBCgAGBQJNeLX4AAoJECx8MUbBoAEhcNMP/iIiTgPyZ2xs61em8EWZJd8G
> Sw0nOcf2xOPKabXFzV9mZGTq4zRyBOEBVExUb85ezX3mFoLQ8bDQb8DEeam/BUKI
> 5ofLIZvOASpywbcADzO8beTs3HnkxjLhV2bEX3kc1bffParuIVd+1HVT79x58HdC
> 1OxAZPVobx9jyi2h2jwXHhSlJe2LKdWIamIHc9xNrZ45DAjeZmsq62cTIFn9Q51C
> rai4Z9oxvJb7Gssg6b7tlu42Pmpnf88RUX1LmyfTjomAaHLSCJLjBXJE8BxbGkZt
> Po71Ko4pvoig1zWIdknx0EwjA5oPRNA4P9FUskcr58dSf4d+zNT1+EBPHjZ3t+ZJ
> gZhj/xF0/i24mP7zRnU+C4P/jLeCUERkC/h0DODng47mfhGVRJ1ctB3/Ohaxs7ZL
> toTzIzgmgT19HhgAPsR5BkXYGH/vWLoCVArfjOffuaXzNOWxHiU0dQC0ZPl2Yp5J
> taslNL8o7Akh9w32rcsIA4t0d1/vdnkZ3Sy7jkGPJSIu4GjPoQ2hXtZ3ZKq43ooo
> E016BwX5GV4lBtkH9Zgk4QB48n3FSyWZnZ+NbDbxR36+xjOaC9BoG2DL6sHe/7CD
> zStrXeFVba3H3/EGocZq7BqfvaX9iDGjoe0jhZlAjNIBXCUMCCuntjWfmKw9w+xF
> VyeDjzKGkG8fzn33XYEo
> =18O7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
>
>
More information about the Freedombox-discuss
mailing list