W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: Fwd: Re: Documenting implicit assumptions?

From: Nathan <nathan@webr3.org>
Date: Wed, 02 Feb 2011 01:27:19 +0000
Message-ID: <4D48B2F7.5070202@webr3.org>
To: Manu Sporny <msporny@digitalbazaar.com>
CC: WebID XG <public-xg-webid@w3.org>
Manu Sporny wrote:
>>> the notion of public key holder owns to webid uri (on which the  
>>> protocol
>>> is currently predicated) is temporally weak, that is to say, the
>>> public/private key holder is not proven to still own / have write
>>> permissions to the webid resource.
> 
> Control of the profile page is also a vital point in openID : spammers
> gaining access to any google/yahoo account can use my openID to login
> everywhere on my behalf.
> 
> In fact, if classic login can be disabled on the profile hosting site,
> WebID can be more secure as it requires an access to one of your
> browser certificate to gain control on the profile page.

combined with (optional) SRP it'd be rather wonderful.. I always see 
WebID as a layered protocol, for instance the last thing I'd want is 
my bank authorizing access to my account via just WebID, it needs 
password / secret info transfer as well (thankfully encrypted over the 
wire thanks to tls)

Best,

Nathan

srp: http://en.wikipedia.org/wiki/Secure_remote_password_protocol
Received on Wednesday, 2 February 2011 01:28:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC