- From: Ben Adida <ben@adida.net>
- Date: Sat, 16 Jul 2011 14:20:52 -0700
- To: Kingsley Idehen <kidehen@openlinksw.com>
- CC: Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>
On 7/16/11 9:17 AM, Kingsley Idehen wrote: > User logs into IdP provided data space and deletes their problematic > public keys. That makes me nervous. You're asking a lot of users. The most a user tends to do (if you're lucky) is change one or two important passwords. > What happens when someone steals a PC/Laptop/Tablet with the private key > associated with the public key in a BrowserID scenario? The statement > above tells you what can happen re. WebID. I don't think so. From what I understand WebID uses long-lived keypairs. BrowserID uses short-lived keypairs that expire in a matter of hours (we're thinking at most a day). Our goal is to not have to deal with revocation, which is incredibly problematic. > Re. BrowserID is the mailto: URI to public key relation 1:1 or 1:N ? > This too has implications. 1:N. Each device generates its own keys. But they expire quickly. >> Can you trigger cert re-generation automatically and silently? I don't >> think so. > > Of course! Are you sure that's true? I'm pretty sure that keygen in the browser requires user interaction. -Ben
Received on Saturday, 16 July 2011 21:21:17 UTC