Hi everyone, it's time for my (ir)regular set of random ramblings: I think one of the main focusses of Étoilé is going to be collaboration. Jesse and I are planning on integrating the current XMPP application closely with the emerging desktop, and making it easy to build collaborative workflows. This brings up the question of reputation, closely tied to security.
At the simplest level, there is the question of whether I can trust messages from an online identity are actually from that identity. We can use cryptography to verify this, if we have exchanged keys, but the key exchange is a problem. Here's an example: I can chat to Jesse online, but we have never met in person. If someone sends a public key claiming it is from Jesse, I have no way of knowing whether it actually is. On the other hand, I have met Nicolas in person, and it's relatively easy for me to verify a key exchange with him. Nicolas and Jesse have also met, so he could have a copy of Jesse's public key, and would be able to verify that this identity did, indeed, represent Jesse. Now, this pre-supposes that I trust Nicolas. If I trust him a bit, then maybe I could ask Quentin to see if he agreed, and if both people concurred, then I could establish a trust relationship with the identity claiming to represent Jesse. One possible use for this beyond cryptography connects to the other information published via XMPP. Each person is able to publish a vCard, which contains their contact information. If I am certain that the identity represents a person, I might want to allow the information they publish to supersede the information in my address book; if they have moved house, jobs or email addresses, for example, then this should be automatically updated. I would also be interested in using this kind of trust metric, and friend-of-friend relations for access control. Thoughts? Comments? Jeering from the gallery? _______________________________________________ Etoile-discuss mailing list [email protected] https://mail.gna.org/listinfo/etoile-discuss
