W3C home > Mailing lists > Public > public-xg-webid@w3.org > March 2011

Re: spec: 2 changes, UML sequence and protocol

From: Stéphane Corlosquet <scorlosquet@gmail.com>
Date: Sun, 6 Mar 2011 17:24:40 -0500
Message-ID: <AANLkTi=V9YJif8VndKrOfnUpneDd5q-j2HQq1YxFH6h1@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
Hi Henry,

On Wed, Feb 23, 2011 at 1:08 PM, Henry Story <henry.story@bblfish.net>wrote:

> I have made the following 2. changes to my local git repository that are
> slightly related
> 1. UML sequence
>  - Added a UML sequence diagram in graffle and jpg format (so others can
> edit)
>  - Added that UML into the spec
>  - also added the graffle source for the other image
> 2. the protocol sequence
> I then had to look how the protocol sequence fitted the sequence diagram,
> which led me in a second step to:
>  - remove the implication that the authentication server must authenticate
> ALL the WebIDS. Peter Williams had some very convincing arguments as to why
> that was a bad idea

from your modified version of the spec: "If the public key in the
Identification Certificate is found in the list of public keys associated
with the claimed WebID URI, the Verification Agent can place it in a list of
verified WebIDs."

This sentence does not make sense: "place it", you mean place what? the
public key? no, here you mean to place the WebIDs dereferencing to a
document containing the public key into a list of verified WebIDs. But then,
you are not addressing Peter's concern by removing a good chunk of text from
the spec: how do you build this list of verified WebIDs? does it have to be
an exhaustive list? after how many failed or verified WebIDs do you stop?
That's something WebID authn implementers will need to know.

>  - reordered the sequence of events: TLS private key authentication happens
> before the certs are extracted before other layers get access to the
> certificate.

why in this order? I would think that the order does not matter, as long as
both the TLS authentication and the public key verification of the WebID
profile document are both done before authenticating a user. Why can't they
even be done in parallel to speed up the authentication process? (e.g. fire
up the WebID document retrieval while performing the regular TLS

you're also adding this step #6 in the authentication sequence:
"If one of the verified WebIDs is authorized to access the resource
requested, the Verification Server should serve that resource. "

Strictly speaking, this is authorization, and out of the scope for the
authentication steps. Removing this step would also cut in half the
complexity of the UML diagram, which looks quite complex as it is. Your
diagram contains the full picture authentication + authorization, which
would fit better in the examples / use cases.


>  - removed the note about  "a digital signature challenge" that was never
> discussed
> My version is here:
>   http://bblfish.net/tmp/2011/02/23/index-respec.html
> If you press cntr-alt-shift-S in your browser you will have a dialog that
> will allow you to get a visual diff from the current version. It seems to
> have a bug as it shows a lot more changes that were made.
> The only relevant ones are in section 3.1
> I am trying to find a tool to give me a url for a visual diff of the source
> code between the two versions but was not able to find one.
>  Feeback welcome,
>  Henry
> Social Web Architect
> http://bblfish.net/
Received on Sunday, 6 March 2011 22:38:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:23 UTC