Re: WebID questions -- was: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" from Ben Laurie on 2012-09-26 (public-webid@w3.org from September 2012)

From: Ben Laurie <benl@google.com>
Date: Wed, 26 Sep 2012 18:55:45 +0100
To: Kingsley Idehen <kidehen@openlinksw.com>
Cc: Henry Story <henry.story@bblfish.net>, "public-webid@w3.org" <public-webid@w3.org>, Andrei Sambra <andrei@fcns.eu>
Message-ID: <CABrd9SRcVMKYcs5mUEaYtgSKDDo-_RX0GeBUVaGsHtZ1s2dLDw@mail.gmail.com>

On 26 September 2012 18:10, Kingsley Idehen <kidehen@openlinksw.com> wrote:
> On 9/26/12 11:48 AM, Ben Laurie wrote:
>>
>> No, the point you are missing is that in capabilities the_only_
>> authority I need to access a resource is the name of that resource -
>> the URI in your case.
>
>
> You can seriously believe I am missing that point while also espousing the
> virtues of hyperlinks as denotation mechanisms for a global web of linked
> data. That doesn't compute. That's a contradiction.

Clearly not, since you think ACLs and caps are equivalent, but it is
well known that they are not.

>> Security derives from the unforgeability of the
>> URI, rather than an independent system that decides if some principal
>> has permission.
>
>
> Security is not derived from the persistence of a URI, its derived from the
> values exposed directly or indirectly via URI which logic handling routing.
> I can have many identifiers, but relationship semantics ultimately determine
> if I can access a resource at an address, directly or indirectly (i.e., name
> based indirection).

I believe that sea of words is describing your particular plan for how
linked data should work. My claim is merely that this is _not_
equivalent to capability security.

>> The problem that best shows the critical difference betweens caps and
>> ACLs is the confused deputy problem:
>> http://en.wikipedia.org/wiki/Confused_deputy_problem.
>
>
> Not at all!
>
> I can sign claims about co-reference by name or value. That's why we have
> semantics for equivalence by name, ditto. inverse functionality.

I have no idea what you're trying to say here.

> These
> matters have been long addressed in computer science.

Actually, they have not been long addressed. For a long time, it was
claimed that ACLs and caps were equivalent. The confused deputy shows
that they are not.

> We are at a point
> where there is a ubiquitous Web that let's us reapply what already exists in
> newer and more profound context.

I don't dispute this!

> At this juncture, my position hasn't changed. You haven't introduced a new
> insight that incongruent with what's possible via the Web today.

Indeed not, in fact capability systems for the Web exist. WebID is not
one of them.

Received on Wednesday, 26 September 2012 17:56:12 UTC