WebID-ISSUE-24: Privacy issues from WebID URI dereferencing [WebID Spec] from WebID Incubator Group Issue Tracker on 2011-02-01 (public-xg-webid@w3.org from February 2011)

From: WebID Incubator Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 01 Feb 2011 11:27:21 +0000
To: public-xg-webid@w3.org
Message-Id: <E1PkEOH-0000yf-57@barney.w3.org>

WebID-ISSUE-24: Privacy issues from WebID URI dereferencing [WebID Spec]

http://www.w3.org/2005/Incubator/webid/track/issues/24

Raised by: Nathan Rixham
On product: WebID Spec

Part of the WebID protocol includes dereferencing a "WebID URI" specified by the identifying agent.

Whilst a measure of privacy and anonymity is provided by one half of the protocol (the TLS side), the act of dereferencing a "WebID URI" currently has authority/provenance issues (as outlined in ISSUE-23) and privacy issues.

Namely, privacy is not guaranteed, an intermediary (or a "webid/profile host") can detect a request from a server (say a bank, a private site, an adult site, a gambling site) to a users WebID URI and thus know the user has attempted to identify on said site.

This may be something which the protocol needs to address (for instance, force TLS for dereferencing), or may be something that is best noted and addressed by specification text (note as a security consideration and give advice).

Received on Tuesday, 1 February 2011 11:27:23 UTC