[Debwebid-discuss] Debconf WebID Bof

Diane Trout diane at ghic.org
Wed Sep 4 00:46:23 UTC 2013 

Hello,

I've been interested in the semantic web stack and have made tried a few WebID 
experiments, so I watched the WebID BoF at debconf

I have a hunch that monkeysphere & WebID are both trying to solve a similar 
problem but from different directions. MonkeySphere is using GPG keys which 
were designed around email and then modifying the key for ssh & possibly 
server certificate verification. While WebID is starting from the web X509 
certificate world. 

I glanced at the thread at debian devel about the problems with webID still 
requiring servers to have CA signed certificates.

It looks like at least early in their thinking about FOAF+SSL
https://blogs.oracle.com/bblfish/entry/more_on_authorization_in_foaf
they were also thinking that you were going to need DNSSEC or CA validated 
certificates to verify you were talking to the right web server.

I think there's probably a way to work around that issue.

http://www.w3.org/2005/Incubator/webid/spec/#authentication-sequence
step 5 seems to imply you can check your local cache for the certificate key 
pair . So if your friends add Bob's public key information to their foaf 
profiles you can get some additional checks on what Bob's WebID profile should 
be like.

Imagine somewhere in http://example.edu/~diane/me.ttl there's the following 
statements.

:me 
  foaf:knows <https://example.org/~bob/me.rdf> .

<https://example.org/~bob/me.rdf>
  cert:key [ 
    a cert:RSAPublicKey ;
    cert:modulus "cb24ed..."^^xsd:hexBinary ;
    cert:exponent 65537 ;
  ] .

If the WebID people could be convinced to recommend that additional step, I 
think you should be able to have a validator that includes the check: "At 
least 3 people I trust list the public key being presented to me." (I'm not 
sure how to handle revocations with that model though.)

To actually sell WebID to non semantic web people I suspect it would be useful 
to have examples using http://www.w3.org/wiki/WebAccessControl

I think you should be able to express something like:

The people who can comment on my blog are people I know, or are members of a 
major open source projects. 

Using the GPG world that would roughly be people whose GPG keys I've signed, 
or their public key are in the Debian, Apache, Ubuntu or Fedora keyrings)

Diane

More information about the Debwebid-discuss mailing list