I've just posted a new version of a draft for an extension to the current vCard format, "Signed vCards" [1]. The general idea is to use existing encryption techniques to turn an existing format for "identity description" into one for "identity authentication", including non-email-based identifiers, change of identifiers over time, publication and revocation of keys, and so forth.
The reason I'm putting all of this together is that, after finding out just how brittle the current Certificate Authority system is, I wanted to have a replacement that was much mushier and resistant to root-CA hijacking, possibly based on some form of web-of-trust. I'm currently trying to teach myself enough about webfist [2] to see if it can be adapted for the purpose, likely by replacing its current DKIM-based authentication system. My thought is that if that can be made to work, then it may be feasible to try combining Signed vCards with CA-style certificates. There's also the possibility that I'm completely deluded about the whole approach. I'm not an expert in the field; I'm just trying to find a solution that's within my meager skills. So I'm hoping to evoke as much feedback and constructive criticism as I can. Since swapping out hierarchical CAs for a system more resistant to a subpoena attack would seem to help reduce pervasive monitoring, this list seems a worthwhile place to discuss it. So: How can my ideas be improved? [1] https://datatracker.ietf.org/doc/draft-boese-vcarddav-signedvcard/ [2] http://www.onebigfluke.com/2013/06/bootstrapping-webfinger-with-webfist.html Thank you for your time, -- DataPacRat "Then again, I could be wrong." _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
