W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: Documenting implicit assumptions?

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 2 Feb 2011 10:50:33 +0100
Cc: Manu Sporny <msporny@digitalbazaar.com>, WebID XG <public-xg-webid@w3.org>
Message-Id: <21A5AE66-945E-4FD5-9D87-7FCEEBEF44AA@bblfish.net>
To: nathan@webr3.org

On 2 Feb 2011, at 02:27, Nathan wrote:

> Manu Sporny wrote:
>>>> the notion of public key holder owns to webid uri (on which the  protocol
>>>> is currently predicated) is temporally weak, that is to say, the
>>>> public/private key holder is not proven to still own / have write
>>>> permissions to the webid resource.
>> Control of the profile page is also a vital point in openID : spammers
>> gaining access to any google/yahoo account can use my openID to login
>> everywhere on my behalf.
>> In fact, if classic login can be disabled on the profile hosting site,
>> WebID can be more secure as it requires an access to one of your
>> browser certificate to gain control on the profile page.
> 
> combined with (optional) SRP it'd be rather wonderful.. I always see WebID as a layered protocol, for instance the last thing I'd want is my bank authorizing access to my account via just WebID, it needs password / secret info transfer as well (thankfully encrypted over the wire thanks to tls)

+1

> 
> Best,
> 
> Nathan
> 
> srp: http://en.wikipedia.org/wiki/Secure_remote_password_protocol


> 

Social Web Architect
http://bblfish.net/
Received on Wednesday, 2 February 2011 09:51:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC