- From: peter williams <home_pw@msn.com>
- Date: Mon, 21 Mar 2011 11:04:42 -0700
- To: "'Henry Story'" <henry.story@bblfish.net>
- CC: "'Yngve Nysaeter Pettersen'" <yngve@opera.com>, <public-xg-webid@w3.org>
Im not too worried about a profile pointing to offsite pictures, creating multiple sessionids and multiple presentations client certs/sigs. (That was Ryan's axis of argument, and his worry about our mission). That is a traditional https issue known from the outset; about "mixed content." The webby world has learned to address it, somehow. It's mixed up in the whole open web => phishing issue set, which stumbles along somehow. I'm more concerned with the core "foaf-ness" of webid, when RDFa is specifically involved. The whole point of RDFa is that it works with the "web we know today". In my [RDFa] foaf graph, I want now to refer to the openid/webid of my friends. Surely, this is what we intended, all along! I want to define my own foaf group (which means referring to their foaf cards, using webid-grade URIs) So, the brightline test can be applied. What necessary condition can I change so that the theorem flips from valid to invalid, with a change of just one fact? (i.e. induce the contradiction...Engima bombe like.. and halt that Turing machine...) >From the description in the blog post, it appears to happens the moment I add Henry's openid/webid to my foaf card - as represented in XHTML/RDfa. Before I add the "EV-untrusted Henry", Opera apparently presents my own foaf card (currently with no external refs) to the world as "EV-trustworthy". The moment I associate with Henry, EV/Opera tells the world I am ( i.e. my site is) now untrustworthy - by withdrawing EV UI signals at the billion PCs using opera. Remove the Henry card reference, I'm EV-trusted, again. As we intended foaf card to be hosted on SSL sites (and optionally EV sites), we seem to have learned something I certainly didn't know, before today. Can someone with EV site cooperate with me, so I can test things empirically? The blog posts I'm basing my reasoning are years old, and perhaps life's changed meantime. -----Original Message----- From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Henry Story Sent: Monday, March 21, 2011 10:05 AM To: peter williams Cc: 'Yngve Nysaeter Pettersen'; public-xg-webid@w3.org Subject: Re: report on EV and SSL MITM proxying On 21 Mar 2011, at 17:51, peter williams wrote: > I think it all comes down to this: > > If I have a foaf card in XHTML/RDFa (with my self-asserted pubkey) > hosted on an EV-site, and I (10s later) add the wrong party (pointing > to the webid of a person whose site has NO EV cert), my own site in > Opera now no longer shows the green-address bar when rendering my foaf > card in XTHML+RDFa. (10s ago, it did.) (Just reading the above, hope I did not miss something important) If your browser displays your RDFa foaf profile served by an EV hosted site, then the browser should show that page as being an EV issued page, no matter what resources that page points to. That is the way current pages work. If your foaf profile embeds remote things such as pictures served from somewhere else, then the browser will probably show that the page contains mixed content. Until a good UI and security mechanism for browsers handling merged content appears this is where we will remain. I think Social Web servers or light weight specialised clients will be the first to explore trust with merged graphs. Henry Social Web Architect http://bblfish.net/
Received on Monday, 21 March 2011 18:05:15 UTC