W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME"

From: Ben Laurie <benl@google.com>
Date: Wed, 26 Sep 2012 09:44:35 +0100
Message-ID: <CABrd9STGf0JSa1rg9yHrgAzWrNMMepwzNqt=TK54yxZOHa6c5w@mail.gmail.com>
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: "public-webid@w3.org" <public-webid@w3.org>
On 25 September 2012 23:39, Kingsley Idehen <kidehen@openlinksw.com> wrote:
> On 9/25/12 5:31 PM, Ben Laurie wrote:
>>
>> On 25 September 2012 20:16, Kingsley Idehen <kidehen@openlinksw.com>
>> wrote:
>>>
>>> On 9/25/12 2:44 PM, Henry Story wrote:
>>>>
>>>>     I am just ccing Andrei, because Ben
>>>> (http://research.google.com/pubs/author9639.html  ) - has found a bug
>>>> inhttps://my-profile.eu/  . (see below) My guess is that Ben logged in
>>>> with
>>>> a certificate that is not WebID enabled. So that's a good extra test
>>>> case to
>>>> add. Of course for people like Ben, the failure of having a Logout
>>>> button on
>>>> chrome is going to add to that inconvenience - because having logged in
>>>> with
>>>> a certificate that may not be signed by a CA my-profile.eu knows about,
>>>> he
>>>> won't be able to change his certificate later after having made a new
>>>> one.
>>>
>>>
>>> Ben,
>>>
>>> Wondering if you evaluated WebID using any other services or scenarios?
>>> Your
>>> feedback would be much appreciated.
>>>
>>> Henry: I keep on telling you, one implementation doesn't canonically
>>> reflect
>>> WebID. As you can imagine, Ben is time challenged, if he plays with a
>>> solution that's pitched as canonical its natural for him to draw blanket
>>> conclusions.
>>>
>>> I continue to encourage you to separate the concept and virtues of WebID
>>> from a specific WebID solution that aligns with your personal world view
>>> etc..
>>>
>>> In my world view, the simplest demonstration of WebID's value takes the
>>> following form:
>>>
>>> 1. A resource is published to the Web
>>> 2. The resource is ACL protected
>>> 3. Existence of the resource is published via email, tweet, blog post
>>> etc..
>>> 4. A user tries to access the resource -- they fail or succeed subject to
>>> ACL membership
>>> 5. User requests access to resource by providing their WebID to resource
>>> owner -- this is also where signed email are useful since the WebID can
>>> be
>>> nipped from the senders signed email certificate.
>>>
>>> In addition to the above, the resource acl document can itself have ACLs
>>> that enable a variety of users expand its ACL memebership thereby making
>>> an
>>> organic social network.
>>
>> Gah! What does this have to do with WebID? If I substitue "magic pixie
>> dust" for "WebID" in the above, well, I have a fantastic example of
>> how magic pixie dust secures the web. Great. Now what?
>>
>> OK, I guess there's one nugget in there: apparently magic pixie dust
>> can be nipped from unauthenticated email I sent.
>>
>> I'm not feeling very enlightened.
>>
>>
>>
> Ben,
>
> I assumed you attempted to explore WebID via my-profile.eu and hit some
> problems. Hence my comments.
>
> If you are interested in taking a quick look at what's possible with WebID
> and ACLs, I have a simple example on G+. Here are the components in use re.
> aforementioned demo:
>
> 1. WebID -- verifiable identifier in the form of a personal URI
> 2. X.509 Certificate -- watermarked with a WebID in its SAN slot
> 3. Profile Document -- a document with structured content based on the RDF
> data model
> 4. Access Control List Ontology -- this describes the authorization modes
> and how they are scoped to WebIDs.
>
> Links:
>
> 1. http://bit.ly/O4LNKf -- A simple guide to Web-scale verifiable identity
> that leverages WebID based ACLs .

A great example of something I could not possibly ask the average end
user to do.

Is anyone planning to address my questions?
Received on Wednesday, 26 September 2012 08:45:07 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 31 March 2013 14:40:59 UTC