W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 25 Sep 2012 18:39:55 -0400
Message-ID: <506232BB.3020001@openlinksw.com>
To: Ben Laurie <benl@google.com>
CC: "public-webid@w3.org" <public-webid@w3.org>
On 9/25/12 5:31 PM, Ben Laurie wrote:
> On 25 September 2012 20:16, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>> On 9/25/12 2:44 PM, Henry Story wrote:
>>>     I am just ccing Andrei, because Ben
>>> (http://research.google.com/pubs/author9639.html  ) - has found a bug
>>> inhttps://my-profile.eu/  . (see below) My guess is that Ben logged in with
>>> a certificate that is not WebID enabled. So that's a good extra test case to
>>> add. Of course for people like Ben, the failure of having a Logout button on
>>> chrome is going to add to that inconvenience - because having logged in with
>>> a certificate that may not be signed by a CA my-profile.eu knows about, he
>>> won't be able to change his certificate later after having made a new one.
>> Ben,
>> Wondering if you evaluated WebID using any other services or scenarios? Your
>> feedback would be much appreciated.
>> Henry: I keep on telling you, one implementation doesn't canonically reflect
>> WebID. As you can imagine, Ben is time challenged, if he plays with a
>> solution that's pitched as canonical its natural for him to draw blanket
>> conclusions.
>> I continue to encourage you to separate the concept and virtues of WebID
>> from a specific WebID solution that aligns with your personal world view
>> etc..
>> In my world view, the simplest demonstration of WebID's value takes the
>> following form:
>> 1. A resource is published to the Web
>> 2. The resource is ACL protected
>> 3. Existence of the resource is published via email, tweet, blog post etc..
>> 4. A user tries to access the resource -- they fail or succeed subject to
>> ACL membership
>> 5. User requests access to resource by providing their WebID to resource
>> owner -- this is also where signed email are useful since the WebID can be
>> nipped from the senders signed email certificate.
>> In addition to the above, the resource acl document can itself have ACLs
>> that enable a variety of users expand its ACL memebership thereby making an
>> organic social network.
> Gah! What does this have to do with WebID? If I substitue "magic pixie
> dust" for "WebID" in the above, well, I have a fantastic example of
> how magic pixie dust secures the web. Great. Now what?
> OK, I guess there's one nugget in there: apparently magic pixie dust
> can be nipped from unauthenticated email I sent.
> I'm not feeling very enlightened.

I assumed you attempted to explore WebID via my-profile.eu and hit some 
problems. Hence my comments.

If you are interested in taking a quick look at what's possible with 
WebID and ACLs, I have a simple example on G+. Here are the components 
in use re. aforementioned demo:

1. WebID -- verifiable identifier in the form of a personal URI
2. X.509 Certificate -- watermarked with a WebID in its SAN slot
3. Profile Document -- a document with structured content based on the 
RDF data model
4. Access Control List Ontology -- this describes the authorization 
modes and how they are scoped to WebIDs.


1. http://bit.ly/O4LNKf -- A simple guide to Web-scale verifiable 
identity that leverages WebID based ACLs .



Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Received on Tuesday, 25 September 2012 22:40:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:35 UTC