[Freedombox-discuss] FOAF developers taking FreedomBox into their equation
Jonas Smedegaard
dr at jones.dk
Fri Mar 11 00:29:11 UTC 2011
On Thu, Mar 10, 2011 at 06:09:40PM -0500, Daniel Kahn Gillmor wrote:
>On 03/10/2011 04:27 PM, Henry Story wrote:
>
>> You get other very valuable pieces: linked data being the most
>> important. The success of the web tells you haw important hyper text
>> was. Hyper data won't be different.
>
>If you tell me "let's use FOAF to publish relationship data", i'll say
>"great! that sounds lovely, and i haven't heard a better proposal".
I say "let's use FOAF to manage relationship data at the core of
FreedomBox, consumable *both* internally by relevant apps *and*
externally for exchange sensible data between trusted peers and
publishing non-sensible (if any) data in public."
I also say "let's offer web-of-trust as an end-user feature - i.e. let's
tie GPG and/or tinyca to that same core FOAF storage, allowing users to
maintain trust in their _peers_ instead of separately keep track of GPG
keyrings, SSL CA trustlists, email addressbooks, chat rosters etc."
I imagine that integrated gardening of trust network and friendships
_improve_ the quality of trust network for our users.
Do you agree so far?
If not, do you expect our users to handle GPG keysigning like us geeks
do it, or how do you imagine normal humans to grow and maintain their
own web of trust?
>But this discussion has been about using WebID as an *authentication*
>mechanism -- that is, a way to bind a real-world entity to a name (in
>the WebID case, the name is the URI) to a public key.
>
>My point is simply that WebID does not address this question of
>authentication. Rather, it punts it to the current CA cartel. We
>shouldn't be doing that if our goal is to avoid centralized control.
I feel you are mixing two different issues here, and it is not really
WebID you are critisizing but classic hierarchical DNS.
Seems to me - still after this interesting discussion - that self-signed
SSL certificates are adequate for deploying WebID. Sure, that does not
ensure initial connection for new relationships but that seems to me
similar to the bootstrapping of a completely virgin PGP key.
Even with an untrusted DNS, it is my understanding that self-signed
certification cannot be hijacked without notice.
Sorry if I am dense: could you try explain to me why self-signed
certificates or peer-coordinated CA trust metrics are irrelevant for use
with WebID?
I believe we are not trying to figure out a way to trust the whole World
Wide Web, just maintain trust in peer FreedomBoxes not being
man-in-the-middle attacked.
Regards,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110311/23f3c730/attachment.pgp>
More information about the Freedombox-discuss
mailing list