RE: How To Handle WebIDs for (X)HTML based Claim Bearing Resources

"You make a certificate with a WebID watermark. That's part one. You persist your claims to an Idp space. That's part two. A verifier de-references pointers into a graph that describes subjects by name. This space can also have relations for expressing equivalence by Name or Values. Its up to a verifier to handle this semantic fidelity."

 

 

Can we take this as our model?

 

The spec doesnt say what I do believe is meant (which is what is said above). That captures that we are about validation logics (not issuing/asserging logics). And, there are n of them - one per relying party. Furthermore, the invocation of any particualr logic is a function of the references, and how they resolve as controlled by the verifier.

 

I like the above in the spec, rewritten a little. It expresses the core protection philosophy. It distinguishs webid (and its use oc client certs) from the world of PKI ( that that worlds use of client certs). It doesnt distinguish webid from the more general world CAs, of which PKI was only 1 profile (focussed on military command and control concepts of key distribution as the basis of all access control to crypto security associations, or its general-purposed internet overlay - via PKIX)

 

Kinglsey has made the case that a multiple SAN URI cert can exploiut said mdoel and now plays the role that the openid delegation metadata plays. It allows one or more entity to be ferenced, that then act as c0-bridge between the world of names used at IDPs, the names used at SPs, and the ability of a subscriber to change that graph (as IDPs fire users, of users fire IDPs).

 

its more powerful than openid, as there is not just one bridge (the blog site with link rel=openid.delegate=), but n of them.

 

So, in survivability analysis, he has engineered yet more redundancy, this time at the level of bridge isolation.

Received on Tuesday, 3 January 2012 19:48:30 UTC