- From: Ben Laurie <benl@google.com>
- Date: Wed, 26 Sep 2012 09:44:35 +0100
- To: Kingsley Idehen <kidehen@openlinksw.com>
- Cc: "public-webid@w3.org" <public-webid@w3.org>
On 25 September 2012 23:39, Kingsley Idehen <kidehen@openlinksw.com> wrote: > On 9/25/12 5:31 PM, Ben Laurie wrote: >> >> On 25 September 2012 20:16, Kingsley Idehen <kidehen@openlinksw.com> >> wrote: >>> >>> On 9/25/12 2:44 PM, Henry Story wrote: >>>> >>>> I am just ccing Andrei, because Ben >>>> (http://research.google.com/pubs/author9639.html ) - has found a bug >>>> inhttps://my-profile.eu/ . (see below) My guess is that Ben logged in >>>> with >>>> a certificate that is not WebID enabled. So that's a good extra test >>>> case to >>>> add. Of course for people like Ben, the failure of having a Logout >>>> button on >>>> chrome is going to add to that inconvenience - because having logged in >>>> with >>>> a certificate that may not be signed by a CA my-profile.eu knows about, >>>> he >>>> won't be able to change his certificate later after having made a new >>>> one. >>> >>> >>> Ben, >>> >>> Wondering if you evaluated WebID using any other services or scenarios? >>> Your >>> feedback would be much appreciated. >>> >>> Henry: I keep on telling you, one implementation doesn't canonically >>> reflect >>> WebID. As you can imagine, Ben is time challenged, if he plays with a >>> solution that's pitched as canonical its natural for him to draw blanket >>> conclusions. >>> >>> I continue to encourage you to separate the concept and virtues of WebID >>> from a specific WebID solution that aligns with your personal world view >>> etc.. >>> >>> In my world view, the simplest demonstration of WebID's value takes the >>> following form: >>> >>> 1. A resource is published to the Web >>> 2. The resource is ACL protected >>> 3. Existence of the resource is published via email, tweet, blog post >>> etc.. >>> 4. A user tries to access the resource -- they fail or succeed subject to >>> ACL membership >>> 5. User requests access to resource by providing their WebID to resource >>> owner -- this is also where signed email are useful since the WebID can >>> be >>> nipped from the senders signed email certificate. >>> >>> In addition to the above, the resource acl document can itself have ACLs >>> that enable a variety of users expand its ACL memebership thereby making >>> an >>> organic social network. >> >> Gah! What does this have to do with WebID? If I substitue "magic pixie >> dust" for "WebID" in the above, well, I have a fantastic example of >> how magic pixie dust secures the web. Great. Now what? >> >> OK, I guess there's one nugget in there: apparently magic pixie dust >> can be nipped from unauthenticated email I sent. >> >> I'm not feeling very enlightened. >> >> >> > Ben, > > I assumed you attempted to explore WebID via my-profile.eu and hit some > problems. Hence my comments. > > If you are interested in taking a quick look at what's possible with WebID > and ACLs, I have a simple example on G+. Here are the components in use re. > aforementioned demo: > > 1. WebID -- verifiable identifier in the form of a personal URI > 2. X.509 Certificate -- watermarked with a WebID in its SAN slot > 3. Profile Document -- a document with structured content based on the RDF > data model > 4. Access Control List Ontology -- this describes the authorization modes > and how they are scoped to WebIDs. > > Links: > > 1. http://bit.ly/O4LNKf -- A simple guide to Web-scale verifiable identity > that leverages WebID based ACLs . A great example of something I could not possibly ask the average end user to do. Is anyone planning to address my questions?
Received on Wednesday, 26 September 2012 08:45:07 UTC