W3C home > Mailing lists > Public > public-identity@w3.org > December 2011

New WebID spec out - fixes issues that came up

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 12 Dec 2011 21:55:21 +0100
Message-Id: <99C8F2B2-4D7C-4641-ABF3-8284F3454E24@bblfish.net>
Cc: Edward O'Connor <eoconnor@apple.com>, Brad Hill <bhill@paypal-inc.com>
To: public-identity@w3.org
Hi all,

A month or so ago the WebID spec came up in discussions on this list. An older criticism by Brad Hill was mentioned and Edward O'Connor also joined in with some of his own points.  Those issues were to be fair, ones arising out of what was a very incomplete and still badly written specification - I do have to admit. In the past month and a half since the discussion on this list, we have done some very serious work on the specification reworking a lot of the text, adding some much more detailed diagrams, and clearing up the misunderstandings we felt those had led to.

I invite you to please look again at the spec which is now up here
 
     http://www.w3.org/2005/Incubator/webid/spec/
     alias http://webid.info/spec

Perhaps just to take one point from  Brad Hill's message  [1] 

> 1. The existing install base of TLS terminators cannot support the protocol

We have now in our diagram ( http://webid.info/spec#authentication-sequence ) distinguished between the TLS-Light Service and the Application level Guard. The TLS service is now clearly explained to be a normal TLS endpoint minus essentially Trust management. So I think the install base of TLS should be able to deal with this. 

> 2. TLS terminators must communicate WebID context to apps

They only need to pass the certificate to what we name the Guard, which will pass the WebID claims to the WebID verifier.

> 3. Performance and scalability is terrible relative to server-auth-only TLS

Server-auth should require verification of client certificates. So there is not much loss and much to gain because of the growth 
in distribution which CAs don't allow. Any other protocol needs something similar. We also allow these to be done in an asynchronous
way.

Anyway, I think these points now come out much more clearly in the specification.

   Please let us know if there are other issues that you see. We welcome feedback.

	Sincerely,

		Henry Story, WebID Incubator Chair


[1]  http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0127.html

Social Web Architect
http://bblfish.net/
Received on Monday, 12 December 2011 21:03:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 12 December 2011 21:03:33 GMT