- From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
- Date: Mon, 2 Jan 2012 17:04:29 +0000
- To: Kingsley Idehen <kidehen@openlinksw.com>
- Cc: public-xg-webid@w3.org
On 2 Jan 2012, at 02:56, Kingsley Idehen wrote: > On 1/1/12 11:46 AM, Mo McRoberts wrote: >> On 31 Dec 2011, at 17:24, Kingsley Idehen wrote: >> >>> Peter gave an example a while back where he loses his Blog space URIs (since he doesn't control Blogspot or WordPress) but still needs to be able access resources where his old Blog space (the IdP) URI is remains the focus of ACL list by those granting him access to resources (e.g., photos). In this case, he can present a Cert. that has his old URI and his new URI in the certs. SAN. The ACLs don't have to change, assuming the verifiers comprehend coreference claims. >> There are a very limited number of ways in which that can work if the old URI no longer resolves to linked data matching up the with cert (as would be the case if the account at Blogspot was suspended, or Google shut it down, or whatever — including it now reflecting *somebody else's* claims) without making it trivially easy for hijacking to occur. > > Hijacking doesn't work if you are leveraging signed equivalence claims. This is why OWL is important. The semantics matter, the channel is secure, and the claim is signed. The claim is only signed for one of the two URIs, hence you can't accept the claim of equivalence. It works *IF* you've made those claims in advance of losing access to your “old” URI, but doesn't if you haven't — OWL alone can't help you because you can't mirror the claim. M. -- Mo McRoberts - Technical Lead - The Space, 0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E, Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Monday, 2 January 2012 17:05:04 UTC