W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: issue of initiating client auth for parallel SSL sessionids

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 28 Feb 2011 00:32:07 +0100
Cc: Ryan Sleevi <ryan-webid@sleevi.com>, WebID Incubator Group WG <public-xg-webid@w3.org>, nathan <nathan@webr3.org>
Message-Id: <DEE25E3D-7BCC-4E94-8164-C835AEB54FBC@bblfish.net>
To: peter williams <home_pw@msn.com>

On 27 Feb 2011, at 04:41, peter williams wrote:

> We hopefully all know that browsers today show a “mixed security” warning, when an HTML page “container” retrieved over https has images (and scripts, and css pointer) on URIs that are sometimes http, sometimes http. Sometimes those linked images (and scripts etc) are on the same server stem as the HTML page container, sometimes not. If a javascript call back opens up an https URI, this doesn’t even get a UI warning, being outside the DOM security model.


The Web Architecture group has, I noticed, had a thread recently looking into the issue of mixed content and cross domain requests. I found this

	http://www.w3.org/2001/tag/2011/02/security-web.html

  I think Nathan has been asking there for the rules used currently in browsers to be made more explicit, which would be a good start to be able to think deeper way on improvements that can be made there. 

People working on linked data in the browser find they would like to merge content from many different sites. 

  Changing browsers to implement a solution that can be proven to be good is going to take the time it takes to find such a solution, specify it, build it and deploy it: a lot of time. It may be easier to think of Social Web servers as experimental browsers: they need to get information from different places and if they have different users keep the information from leaking from one user no another, as well as from one graph to another. 

>  https has to address this. Webid protocol (as a revision/profile of https) has to address it.


It's not clear that the protocol has to address such issues. WebID is about identifying the client or the server in a way that can tie the agents into the web of data. If one thinks of the browser as an agent - not so unlike a SW server - the job of deciding how to separate the information received from different agents and who to give access to it, is an authorization issue it seems to me. 

  Henry

Social Web Architect
http://bblfish.net/
Received on Sunday, 27 February 2011 23:32:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC