Re: Question/idea: Self-contained WebID from 远洋 on 2014-05-28 (public-webid@w3.org from May 2014)

From: 远洋 <corani@gmail.com>
Date: Wed, 28 May 2014 17:22:08 +0800
To: Mo McRoberts <Mo.McRoberts@bbc.co.uk>
Cc: Kingsley Idehen <kidehen@openlinksw.com>, "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <CADPdpKb+Q2qWFiXh=FtZHk9r9B=e=8+HOGaky0x7JcWKWAf-dQ@mail.gmail.com>

You're entirely correct, except that I was talking about OpenID, not WebID
^_~

To the point of WebID, since in the simplest case you only need to host a
static file, I don't see much of a problem here. You can host it on a
website, on Google Drive, Dropbox or a host of other free and convenient
places. I believe Kingsley's YouID apps offers this functionality.

I haven't actively followed WebID for a long time, so there's one thing I'm
wondering about how it's handled. What do services offering WebID use to
identify users?

The public key? -> What happens when the user's certificate expires or when
he looses control of it?
The URI? How can a user change their WebID URI?
Or something else?

On Wed, May 28, 2014 at 4:38 PM, Mo McRoberts <Mo.McRoberts@bbc.co.uk>wrote:

>
> On  2014-May-28, at 06:20, Daniël Bos <corani@gmail.com> wrote:
>
> > OpenID can actually run locally, since the browser handles all the
> redirects. In the past I've used an OpenID provider running on localhost.
> This could just as easily have been baked into the browser.
>
> That’s going to very much depend upon the server. There’s nothing about
> that which is guaranteed to work. The server you’re communicating with
> *should* be able to dereference the URI in the certificate as a means of
> (1) verifying your WebID (the URI), and (2) performing attribute exchange.
>
> A local-only server will only work if the above happens client-side, which
> itself would make me nervous.
>
> The whole point of hosting the FOAF (or equivalent) somewhere accessible
> is that the server being able to fetch it, and its contents matching your
> key, is a way of confirming that the URI you’re claiming to control is
> actually something you control. It’s the server which needs to obtain this
> verification, not the browser. The browser doesn’t have any particular
> reason to care.
>
> A local-only server would be the equivalent of verifying your e-mail
> address on a site which requires it, but only running a mail server which
> is also bound only to localhost.
>
> M.
>
> --
> Mo McRoberts - Chief Technical Architect - Archives & Digital Public Space,
> Zone 2.12, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA.
>
> Inside the BBC? My movements this week: http://neva.li/where-is-mo
>
>
>
>
>
>
>

-- 
--
Best regards,
Daniël Bos

Your government is reading your email. Slow them down with encryption.

My public key: http://goo.gl/gms497

Received on Wednesday, 28 May 2014 09:22:55 UTC