W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: WebID-ISSUE-22: Key Pair Revocation / WebID reset [WebID Spec]

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 1 Feb 2011 12:49:26 +0100
Message-Id: <D152070F-D6A0-443E-BE84-61944B432068@bblfish.net>
To: WebID Incubator Group WG <public-xg-webid@w3.org>

On 1 Feb 2011, at 11:54, WebID Incubator Group Issue Tracker wrote:

> 
> The WebID Protocol does not currently define how users should react to lost or stolen key pairs, the equivalent in other technologies would be certificate revocation or "password reset".
> 
> The action(s) a user should take to "disable" the validity of a key pair, or the methods implementers should provide to cater for this, must be defined by the protocol.

It is in fact very easy to do: just remove the public key from the Profile Document, and
the next SSL connection should be invalidated. This ties into a few other issues: how long should the profile document represenations be valid for? And when should the server go back to the remote server instead of using information in the cache? My guess is that this will depend on the importance of the transaction on the server.


Henry

Social Web Architect
http://bblfish.net/
Received on Tuesday, 1 February 2011 11:50:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC