W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Fwd: Re: Documenting implicit assumptions?

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 01 Feb 2011 13:56:19 -0500
Message-ID: <4D485753.40900@digitalbazaar.com>
To: WebID XG <public-xg-webid@w3.org>
Forwarding something that was sent to me that should've been sent to the
list.

-------- Original Message --------
Subject: Re: Documenting implicit assumptions?
Date: Tue, 1 Feb 2011 12:02:55 +0100
From: Dominique Guardiola <dguardiola@quinode.fr>
To: Manu Sporny <msporny@digitalbazaar.com>

My two cents, as a non-expert lurker
Launching quickly an alternative to OpenID is one task,
solving the problems other failed to solve is another

For example :

>> privacy is not guaranteed (an intermediary, or a "webid/profile  
>> host",
>> can detect a request from an server (say a bank, a private site, an
>> adult site, a gambling site) to a users webid URI and thus know the  
>> user
>> has attempted to login on said site.

What's the difference with the knowledge current OpenID providers have
on your activity ?
This ultimately relies on the trust you put in your ID provider

>> the notion of public key holder owns to webid uri (on which the  
>> protocol
>> is currently predicated) is temporally weak, that is to say, the
>> public/private key holder is not proven to still own / have write
>> permissions to the webid resource.

Control of the profile page is also a vital point in openID : spammers
gaining access to any google/yahoo account can use my openID to login
everywhere on my behalf.

In fact, if classic login can be disabled on the profile hosting site,
WebID can be more secure as it requires an access to one of your
browser certificate to gain control on the profile page.


--
Dominique Guardiola
 Tel : 04.27.86.84.37
 Mob : 06.15.13.22.27
Received on Tuesday, 1 February 2011 18:56:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC