[foaf-dev] RDFAuth: an initial sketch
Kjetil Kjernsmo
kjetil at kjernsmo.net
Thu Mar 27 21:26:59 GMT 2008
On Thursday 27 March 2008, Story Henry wrote:
> 7. Juliette uses the answer in 6 to GET the PGP key.
> (what to do if someone has more that one PGP key?)
>
> 8. Romeo's server returns the PGP key
I think the critical issue to be considered in any system that uses PGP
is "how do you establish the trust network?" For all I know, you're not
Henry at all, you're Mallory, but you just created a key with Henry's
name and email on. Baaaaad Mallory! (and oh, my client screamed that
this message had an invalid signature at me).
There are of course various ways to establish those trusted links, but I
think that when you use something as powerful as PGP, you might want to
be careful. There is little point in PGP if your way of establishing
trust is weak, then the trust network will be the point of attack
anyway. As a minimum policy, I only sign keys of people I meet face to
face and that they have a photo ID that looks reasonably official.
PGP is great, and I'm always open to signing and to organise key signing
parties, but I think that requiring PGP is hindering adoption to the
extent where it is not very useful. I think that rather than requiring
PGP, you could create system where a trust metric is influenced by how
the trust is established, and then a PGP-hardened social network would
be trusted more than a random foaf:knows triple found somewhere on the
net...
So, for example, in Phil's child-abuse case, information could only be
shared in encrypted form between trusted parties.
Cheers,
Kjetil
--
Kjetil Kjernsmo
Programmer / Astrophysicist / Ski-orienteer / Orienteer / Mountaineer
kjetil at kjernsmo.net
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.usefulinc.com/pipermail/foaf-dev/attachments/20080327/bb687f98/attachment-0001.pgp
More information about the foaf-dev
mailing list