- From: Stéphane Corlosquet <scorlosquet@gmail.com>
- Date: Sun, 6 Mar 2011 17:24:40 -0500
- To: Henry Story <henry.story@bblfish.net>
- Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
- Message-ID: <AANLkTi=V9YJif8VndKrOfnUpneDd5q-j2HQq1YxFH6h1@mail.gmail.com>
Hi Henry, On Wed, Feb 23, 2011 at 1:08 PM, Henry Story <henry.story@bblfish.net>wrote: > I have made the following 2. changes to my local git repository that are > slightly related > > 1. UML sequence > - Added a UML sequence diagram in graffle and jpg format (so others can > edit) > - Added that UML into the spec > - also added the graffle source for the other image > > 2. the protocol sequence > > I then had to look how the protocol sequence fitted the sequence diagram, > which led me in a second step to: > > - remove the implication that the authentication server must authenticate > ALL the WebIDS. Peter Williams had some very convincing arguments as to why > that was a bad idea > from your modified version of the spec: "If the public key in the Identification Certificate is found in the list of public keys associated with the claimed WebID URI, the Verification Agent can place it in a list of verified WebIDs." This sentence does not make sense: "place it", you mean place what? the public key? no, here you mean to place the WebIDs dereferencing to a document containing the public key into a list of verified WebIDs. But then, you are not addressing Peter's concern by removing a good chunk of text from the spec: how do you build this list of verified WebIDs? does it have to be an exhaustive list? after how many failed or verified WebIDs do you stop? That's something WebID authn implementers will need to know. > - reordered the sequence of events: TLS private key authentication happens > before the certs are extracted before other layers get access to the > certificate. > why in this order? I would think that the order does not matter, as long as both the TLS authentication and the public key verification of the WebID profile document are both done before authenticating a user. Why can't they even be done in parallel to speed up the authentication process? (e.g. fire up the WebID document retrieval while performing the regular TLS authentication). you're also adding this step #6 in the authentication sequence: "If one of the verified WebIDs is authorized to access the resource requested, the Verification Server should serve that resource. " Strictly speaking, this is authorization, and out of the scope for the authentication steps. Removing this step would also cut in half the complexity of the UML diagram, which looks quite complex as it is. Your diagram contains the full picture authentication + authorization, which would fit better in the examples / use cases. Steph. > - removed the note about "a digital signature challenge" that was never > discussed > > My version is here: > http://bblfish.net/tmp/2011/02/23/index-respec.html > > If you press cntr-alt-shift-S in your browser you will have a dialog that > will allow you to get a visual diff from the current version. It seems to > have a bug as it shows a lot more changes that were made. > The only relevant ones are in section 3.1 > > I am trying to find a tool to give me a url for a visual diff of the source > code between the two versions but was not able to find one. > > Feeback welcome, > > Henry > > > > Social Web Architect > http://bblfish.net/ > > >
Received on Sunday, 6 March 2011 22:38:33 UTC