[Debwebid-discuss] Debconf WebID Bof
Diane Trout
diane at ghic.org
Wed Sep 4 00:46:23 UTC 2013
Hello,
I've been interested in the semantic web stack and have made tried a few WebID
experiments, so I watched the WebID BoF at debconf
I have a hunch that monkeysphere & WebID are both trying to solve a similar
problem but from different directions. MonkeySphere is using GPG keys which
were designed around email and then modifying the key for ssh & possibly
server certificate verification. While WebID is starting from the web X509
certificate world.
I glanced at the thread at debian devel about the problems with webID still
requiring servers to have CA signed certificates.
It looks like at least early in their thinking about FOAF+SSL
https://blogs.oracle.com/bblfish/entry/more_on_authorization_in_foaf
they were also thinking that you were going to need DNSSEC or CA validated
certificates to verify you were talking to the right web server.
I think there's probably a way to work around that issue.
http://www.w3.org/2005/Incubator/webid/spec/#authentication-sequence
step 5 seems to imply you can check your local cache for the certificate key
pair . So if your friends add Bob's public key information to their foaf
profiles you can get some additional checks on what Bob's WebID profile should
be like.
Imagine somewhere in http://example.edu/~diane/me.ttl there's the following
statements.
:me
foaf:knows <https://example.org/~bob/me.rdf> .
<https://example.org/~bob/me.rdf>
cert:key [
a cert:RSAPublicKey ;
cert:modulus "cb24ed..."^^xsd:hexBinary ;
cert:exponent 65537 ;
] .
If the WebID people could be convinced to recommend that additional step, I
think you should be able to have a validator that includes the check: "At
least 3 people I trust list the public key being presented to me." (I'm not
sure how to handle revocations with that model though.)
To actually sell WebID to non semantic web people I suspect it would be useful
to have examples using http://www.w3.org/wiki/WebAccessControl
I think you should be able to express something like:
The people who can comment on my blog are people I know, or are members of a
major open source projects.
Using the GPG world that would roughly be people whose GPG keys I've signed,
or their public key are in the Debian, Apache, Ubuntu or Fedora keyrings)
Diane
More information about the Debwebid-discuss
mailing list