W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: WebID security picture

From: Dominique Guardiola <dguardiola@quinode.fr>
Date: Fri, 8 Apr 2011 15:25:51 +0200
Message-Id: <3DDCC486-74F1-4229-B73F-FBFB866FF564@quinode.fr>
To: public-xg-webid@w3.org
Le 8 avr. 11 à 14:30, Mo McRoberts a écrit :

> Somebody later gains access to my Facebook account, and adds their  
> own certificate's public key to my FOAF document. Now, they can log  
> in to everything I've used my WebID for previously, impersonating me.

This has been already said, and OpenID has the same problem

WebID goes further in allowing us to create more trust around  
universal authentication :

- Semantic-enabled social networks are appearing everyday, add the  
ease of setup (just host a FOAF file)
, this will spread the risk of having millions ID stolen. OpenID is  
hard to implement, WebID democratize universal authentication , making  
it easier than SMTP to deploy

- If you have a critical application and allow people to use WedID,  
nothing prevents you to use more tools to know better who are your  
customers. A bank using WebID could ask for an email confirmation when  
detecting a change in the public key used (using a cache), ask a  
special question, define authorized computers using cookies ...

But these are extensions/plugin that could be standardized later

--
Dominique Guardiola, QUINODE
• http://www.quinode.fr/
• Tel : 04.27.86.84.37
• Mob : 06.15.13.22.27
Received on Friday, 8 April 2011 14:33:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:24 UTC