[OpenID] cryptographics web of trust

Peter Williams pwilliams at rapattoni.com
Sun Aug 19 20:53:53 UTC 2007 

Henry
 
In terms of prior art, I believe I can now recast what you describe on - or imply in http://blogs.sun.com/bblfish/entry/cryptographic_web_of_trust.
 
(1) You are choosing to act as a Certification Authority, resigning the public keys of your friends. 



		Properly, you confirmed your fiends realworld's id via biometrics.. before performing the act of certification. 
		 
		You also published a policy-wide affidavit that represents your certification semantics : "These keys were assured enough for my purposes! Information redundancy SHOULD furthermore assure anyone doubting the required SemWeb integrity."
		 
		You then stored the signatures of such "two-part certificates" on your server: the public keys remain on your friends' servers.  This contrasts with a PGP keyring.
		
		I'll assume your scheme can apply equally to OpenID Server-agents and Consumer-agents which must rely on each other.

 
(2) You can also be said to be acting as a maintainer of a "Certificate Trust List". Have your apache script now compute in real-time, the python equivalent of
 

				        const string FOAF = "http://xmlns.com/foaf/0.1/";
				        static read-only Entity foafknows = FOAF + "knows";
				        static readonly Entity foafname = FOAF + "name";
				 
				        using (RdfWriter w = new N3Writer(Console.Out))
				        {
				            store.Select(new Statement(null, foafname, null), w);
				            store.Select(new Statement(null, foafknows, null), w);
				        }

		 
		Then, have an HTTP filter in your servlet engine handle the N3 signing "suitably" and on the fly - targeting both HTTP proxies and end-users .
		 
		This allows folks to use you now as an "authority" - introducing them to else might be a decent _authority_ to rely upon. They use you and those others your introduce as _authoritative_ redundant access points ... when they must obtain those certifications protecting the integrity of those critical (publickey->foafname) bindings.
		 
		Note I have not YET addressed your suggestion that yet another FOAF file can be authoritative for "organizations" - such as SUN, that may be operating an OpenID-server providing authoritative certification info and discovery information to other authorities. 
		 
		Perhaps, let's formalize authority and crypto - before binding those constructs to "organizational" notions that are typically tied to hierarchical naming, and sometimes corresponding hierarchical authority meshes. I'm still digesting your http://blogs.sun.com/bblfish/entry/a_foaf_file_for_sun as it relates to OpenID Auth.

 

________________________________

From: general-bounces at openid.net on behalf of Peter Williams
Sent: Sun 8/19/2007 11:34 AM
To: Henry Story
Cc: OpenID General
Subject: Re: [OpenID] cryptographics web of trust



Henry:

I've now learned basic N3. Programming it helped. Reading an RDF book did not.

More information about the general mailing list