On 6/8/07, David Chisnall <[EMAIL PROTECTED]> wrote: > Hi everyone, it's time for my (ir)regular set of random ramblings: > > I think one of the main focusses of Étoilé is going to be > collaboration. Jesse and I are planning on integrating the current > XMPP application closely with the emerging desktop, and making it > easy to build collaborative workflows. This brings up the question > of reputation, closely tied to security. > > At the simplest level, there is the question of whether I can trust > messages from an online identity are actually from that identity. We > can use cryptography to verify this, if we have exchanged keys, but > the key exchange is a problem. Here's an example:
There are some ways to get certificates as a prove of identity. I don't know whether it is what you want. Some people include such certificates in the email to prove it is the right person who send the email. In terms of whether you can trust the organization who issues certificates is another issue. But considering people add their buddies manually, or at least they agree to, based on email address, it is much reliable than emails. That is why there are so many phishing through emails. Yen-Ju > > I can chat to Jesse online, but we have never met in person. If > someone sends a public key claiming it is from Jesse, I have no way > of knowing whether it actually is. On the other hand, I have met > Nicolas in person, and it's relatively easy for me to verify a key > exchange with him. Nicolas and Jesse have also met, so he could have > a copy of Jesse's public key, and would be able to verify that this > identity did, indeed, represent Jesse. > > Now, this pre-supposes that I trust Nicolas. If I trust him a bit, > then maybe I could ask Quentin to see if he agreed, and if both > people concurred, then I could establish a trust relationship with > the identity claiming to represent Jesse. > > One possible use for this beyond cryptography connects to the other > information published via XMPP. Each person is able to publish a > vCard, which contains their contact information. If I am certain > that the identity represents a person, I might want to allow the > information they publish to supersede the information in my address > book; if they have moved house, jobs or email addresses, for example, > then this should be automatically updated. > > I would also be interested in using this kind of trust metric, and > friend-of-friend relations for access control. > > Thoughts? Comments? Jeering from the gallery? > _______________________________________________ > Etoile-discuss mailing list > [email protected] > https://mail.gna.org/listinfo/etoile-discuss > _______________________________________________ Etoile-discuss mailing list [email protected] https://mail.gna.org/listinfo/etoile-discuss
