On Wed, Mar 09, 2011 at 11:00:38PM -0500, Daniel Kahn Gillmor wrote:
On 03/09/2011 06:11 PM, Melvin Carvalho wrote:Traditionally we've always 'self signed' our WebID certificates. So there's no CA that needs to be in the loop. In fact, I dont know of any instance WebID has *ever* been used with a CA, but I suppose it is possible too. :)For plain http:// URL WebIDs, there is no CA in the loop; but plain http:// WebIDs are vulnerable to a pretty trivial attack by someone with reasonable control of the network -- all they need to do is forge DNS or intercept traffic to convince the server doing a backhaul lookup that the client's presented WebID cert is legit. This level of vulnerability to an attacker in control of the network doesn't seem to meet the standards i'd hope for a robust, freedom-preserving scheme.So that leaves https:// WebIDs, which in turn need some sort of certificate validation. I'm pretty sure that any WebID that points to an https:// URL relies on the CA cartel to validate the backhaul connection, in the current implementations, no? Either the certificate validation is not happening (in which case the scheme is vulnerable to an attacker in control of the network again), or the certificate validation relies on some set of CAs.I'm happy that WebID is trying to sidestep the CA cartel for end-user certificates. But it seems to rely on either (a) centralized, cryptographically-guaranteed DNS (DNSSEC) or (b) the CA cartel to validate the server-side certificates (or both). Both of these options leave a handful of fairly unaccountable middlemen with the ability to perform denial of service attacks on end user identities and even impersonations.I'd love to hear suggestions for improving the scheme to be resistant to these middlemen, but i don't think i've heard any of them yet.
I believe the key to this is the FOAF part: I can, in my FOAF file, beyond declaring what friends I have and what WebID public key is linked to it, also declare what CAs I trust (which might be only my very own FreedomBox).
I imagine FreedomBoxes can then grow a web of trust, not only of people but also of CAs.
If some of my close friends trust e.g. CAcert.org then I should also trust it - or alternatively I should lower the trust in those friends.
FreedomBox can help with both those logics, I believe. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: Digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
