W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

Re: Browser ID

From: Ben Adida <ben@adida.net>
Date: Sat, 16 Jul 2011 14:20:52 -0700
Message-ID: <4E2200B4.7020807@adida.net>
To: Kingsley Idehen <kidehen@openlinksw.com>
CC: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>
On 7/16/11 9:17 AM, Kingsley Idehen wrote:
> User logs into IdP provided data space and deletes their problematic
> public keys.

That makes me nervous. You're asking a lot of users. The most a user 
tends to do (if you're lucky) is change one or two important passwords.

> What happens when someone steals a PC/Laptop/Tablet with the private key
> associated with the public key in a BrowserID scenario? The statement
> above tells you what can happen re. WebID.

I don't think so. From what I understand WebID uses long-lived keypairs. 
BrowserID uses short-lived keypairs that expire in a matter of hours 
(we're thinking at most a day). Our goal is to not have to deal with 
revocation, which is incredibly problematic.

> Re. BrowserID is the mailto: URI to public key relation 1:1 or 1:N ?
> This too has implications.

1:N. Each device generates its own keys. But they expire quickly.

>> Can you trigger cert re-generation automatically and silently? I don't
>> think so.
>
> Of course!

Are you sure that's true? I'm pretty sure that keygen in the browser 
requires user interaction.

-Ben
Received on Saturday, 16 July 2011 21:21:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:25 UTC