Text archives Help


Re: [projectvrm] Personal web presence ("home page") checklist


Chronological Thread 
  • From: Johannes Ernst < >
  • To: Dan Lyke < >, Don Marti < >
  • Cc: projectvrm < >
  • Subject: Re: [projectvrm] Personal web presence ("home page") checklist
  • Date: Tue, 25 Aug 2015 21:27:59 -0700


On Tue, Aug 25, 2015 at 1:15 PM, Don Marti < " class=""> > wrote:
* Link to keybase.io account (connect social accounts
  claiming to be you to your real public key)

keybase.io is centralization. First choice is just publishing your PGP
key on the site, although to be useful this must be served over HTTPS
or be verified in some other way.

I’m not sure that https does very much here. For the public key to be trustworthy, I need to know that
1. the key I receive is indeed the key that is served by upon2020.com (my site — I publish my pgp key there via http, so it’s a good example)
2. the key served by upon2020.com is the key the owner of the site intended to serve
3. the site is under the effective control of one Johannes Ernst
4. the Johannes Ernst that owns that site is indeed the Johannes Ernst I want to communicate with

So there are several avenues of attack, only some of which can be mitigated with HTTPS. I choose to believe that I’m not a valuable target enough to attack my public key distribution, in particular because I still send the majority of my e-mail unencrypted :-)

The more secure way of matching key to individual is to receive the key from the individual directly, e.g. in direct contact, or by (secure) introduction from a trusted third party.

(And I'm hoping that something like https://github.com/zrm/snow
catches on so that our links and identity start to have public key
verification built in at the identifier level...)

* (coming soon) Let's Encrypt or other SSL support

Given the amount of MitM attacks we're seeing these days, I think this
is a necessity if you're publishing keys. I don't know that we've seen
any exploits yet, and I still lack ssl on the sites I host, but...

* microformats for any public contact info (?)

vcard seems like a no-brainer, although marking up the page with MF2
syntax also seems like a no-brainer.

Back to Don’s original question: it should also have the tools by which the site owner would like to interact with others. Today, unfortunately, that largely is limited to blogging, plus some ways for others to talk back (commenting, pingbacks etc.) Innovation required here.

Cheers,


Johannes.


Archive powered by MHonArc 2.6.19.