- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 21 Apr 2013 22:30:33 -0400
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- CC: "public-rww@w3.org" <public-rww@w3.org>, Web Payments CG <public-webpayments@w3.org>
On 04/21/2013 09:57 AM, Melvin Carvalho wrote: > 3. No URLs for keys, making it non-trivial to figure out which key > signed a message. > > Keys *can* have URLs as per the cert ontology. They can be blank > nodes too, which I think is currently more common. I use a URL. It's Linked Data, you *can* do anything. The question here is MUST. In Web Keys, keys MUST have a URL. That requirement makes it so that you can depend on that URL when verifying digital signatures. > Since TPAC 2012 we have decided to decouple WebID into Identity and > Authentication specs. That's a good approach. > Currently the cert ontology is able to related a key to a foaf : > Agent via the "key" predicate. It cannot (yet) do accounts, though > I requested it last month, but coming to consensus on how to name > things can sometimes be a challenge :) True, although the naming/vocabulary part is the easy bit... it's the protocol that's the hard problem. > Do you need the agent -> key relationship or the account -> key > relationship, or both? Depends on what you mean by Agent. Web Keys requires that the public key specify the owner and that the owner specifies ownership over the public key. If you don't verify both, you have a security issue on your hands. > It seems both efforts have evolved in the last couple of years. And > sounds like there's a lot in common still, maybe it's still possible > to iron out the differences ... so that each can reuse from the > other. We tried to work with the WebID community two years ago by: 1. Writing the first version of the WebID specification (I did that). 2. Creating an implementation of WebID over TLS in JavaScript+Flash and then creating one in JavaScript+WebSockets. We spun our wheels for more than a year trying to convince the community that the approach of client-based certificates was a dead end unless the browser vendors got on board. Here we are two years later and the browser vendors still aren't on board, which underlines why we were concerned with the approach. Unless the community is willing to reconsider that position, which Henry is making very clear isn't going to happen, I don't think there is much room for collaboration. There is the Vocabulary problem and Publishing an Identity problem, but those are easy problems to solve. The solution that we end up in the end will be the one that resonates the most with Web Developers, and we're not too concerned about which one is picked because not much is at stake there. In the very worst case, since this is Linked Data, an implementer could implement both without much pain. The hard problem have, and have always been, the protocol and the UX. If there is some place that you feel we could collaborate, please let us know, but I'm not really seeing where that would be at the moment. We're really not interested in having another repeat of what happened two years ago. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/
Received on Monday, 22 April 2013 02:31:02 UTC