Re: [foaf-protocols] privacy considerations: can a nosy https: site probe user identity without explicit permission? from Henry Story on 2011-02-11 (public-xg-webid@w3.org from February 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 11 Feb 2011 19:41:21 +0100
To: Peter Williams <home_pw@msn.com>
Cc: <corani@gmail.com>, <jan@wildeboer.net>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>, <foaf-protocols@lists.foaf-project.org>
Message-Id: <BBCFAFC1-8F6D-4078-8BE4-AB09693ED9F8@bblfish.net>

On 11 Feb 2011, at 19:10, Peter Williams wrote:

> 
> It's correct that the hard version of the problem is the logout problem - which is only a coded way of talking about that which cannot be named: sessions.

> > From: corani@gmail.com
> > I believe this is very similar to the "logout" problem, and should be
> > solved in conjunction with that.
> 

Why is that a hard problem? 

There are some parts that are simple:

  -  a UI to show what you are logged in as and to enable the anonymous mode
  - Tying cookies and SSL sessions to identities

The hard problem is information leakage, but that is something one can build up over time. How far you go there depends on how much you want to protect identities and cross referencing.

Henry

Received on Friday, 11 February 2011 18:41:59 UTC