W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

Re: Browser ID, WebID & URLs

From: Brian Smith <bsmith@mozilla.com>
Date: Sun, 17 Jul 2011 22:08:04 -0700 (PDT)
To: Henry Story <henry.story@bblfish.net>
Cc: WebID XG <public-xg-webid@w3.org>, Ben Adida <ben@adida.net>, dev-identity@lists.mozilla.org
Message-ID: <1038760857.542124.1310965684789.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Henry Story wrote:
> You seem to have made short lasting keys a necessary part of your
> protocol.
> Why is that? I am pointing out one can enable longer lasting ones too.

Long-lasting keys require a revocation mechanism. But, the revocation mechanism would likely leak information from the relying party to the identity provider about which identity is being verified. By making keys short-lived, we can avoid the need for a revocation mechanism, and thus avoids this leakage. It does mean contacting that the browser will contact the identity provider more frequently, but I do not think that is a big deal.

Received on Monday, 18 July 2011 05:08:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:25 UTC