W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

Re: How To Handle WebIDs for (X)HTML based Claim Bearing Resources

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Tue, 3 Jan 2012 12:09:55 +0000
Cc: public-xg-webid@w3.org
Message-Id: <0BE8127C-001B-4138-A46F-F42D13715A6D@bbc.co.uk>
To: Kingsley Idehen <kidehen@openlinksw.com>

On 2 Jan 2012, at 19:42, Kingsley Idehen wrote:

>> It works *IF* you've made those claims in advance of losing access to your “old” URI, but doesn't if you haven't — OWL alone can't help you because you can't mirror the claim.
> 
> Again, let's not speculate and argue endlessly. Do a real test with a simple resource to which a WebID based ACL is applied.

> 
> This is about routing and data access exposed via identifiers in a certificate combined with verifiers that understand OWL semantics. A statement doesn't maketh OWL semantics, you have to implement the semantics in a system for the statement to have a modicum of value.

No. This is not “speculating and arguing endlessly”. It has nothing (besides a tangental relationship) to do with ACLs, and very little to do with OWL. Real-world tests are unhelpful because this is about how things are _supposed_ to behave, not documenting how prototypes actually DO — this is not an exercise in scientific discovery, but in decision-making. (And also, to be honest, it’s a matter of the basic principles of WebID’s operation when it comes to confirming “authority” to the WebID URI).

This boils down to how WebID consumers are SUPPOSED to behave when you lose the ability to publish resources at the URI your certificate bears (and so are unable to mirror the claim), what happens to the data held by those consumers (i.e., your profile/account data, including confirmed relationships with other people), and what end-users are supposed to do to mitigate any of it.

The answer may to publish a synonym claim, via both OWL and SAN, *before you lose access to the original WebID URI* and then go through every consuming service that you use poking them to pick up the updated document so that they know about your additional URI.

As the spec stands right now, there is nothing which provides a way for the previous holder of a URI to state that their new URI is elsewhere without doing so *in advance* of losing the ability to publish to that original URI. If you allow them to do it after the fact, then unless you pay attention to something else as the key piece of identifying information (e.g. they have authenticated with the same private key has previously), then there's nothing stopping somebody *else* coming along and presenting a certificate bearing a new URI which uses OWL to claim it's the same as that original one and gaining access to all of your data.

M.

-- 
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Tuesday, 3 January 2012 12:10:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 January 2012 12:10:32 GMT