W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

Re: How To Handle WebIDs for (X)HTML based Claim Bearing Resources

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 03 Jan 2012 20:09:28 -0500
Message-ID: <4F03A6C8.1090402@openlinksw.com>
To: public-xg-webid@w3.org
On 1/3/12 6:43 PM, Henry Story wrote:
>
> On 3 Jan 2012, at 23:08, Kingsley Idehen wrote:
>
>> In response to Henry's comment:
>>
>>  "yes. There is something there but it clearly needs to be fleshed 
>> out, as there are so many ways it can be done badly. For example say 
>> I loose my key, in athttp://bblfish.net/and remove it from there, but 
>> the thief of my private key goes and puts in 
>> onhttp://surpeticious.com/#meand signs the claim there. " .
>> How is that different from losing any device that holds you key re. WebID? You fix the relation.
> There are new things to think about since you have introduced another 
> way of verifying an identity.
>
>> Remember, you are anticipating that the following happen in tandem:
>>
>> 1. You lose control of a URI (booted out of some system)
>> 2. You also lose your private key or a .p12 with your cert and key
>> 3. Thief then imports .p12, masquerades as you.
>>
>> In the scenario above, your cost-benefit analysis will lead you to nuking the relations in your Idp space.
>
> You may know your IDP, but does a relying party? You are now allowing 
> a signed statement of identity to be made anywhere on the web using 
> your private key. Since you have lost your PersonalProfile page - and 
> this is the case you wish to fix, which is why we are considering it - 
> no Relying Party can access it. They therefore have to take at face 
> value any WebId that claims to be you.

I don't understand your analysis at all.

I have a keystore and a cert. I have access to a data space that serves 
the role of idp and more. I have the ability to make and break relations 
with alacrity. I can use the WebID protocol to verify my claims. My 
identity isn't bound to any piece of network infrastructure. I have a 
schema that grounded in first order logic and data representation based 
on a directed graph. In addition, SPARQL delivers all the declarative 
fidelity I need.
>
> Or is it the thou think there should be well known Relying Parties 
> that people trust above all? So that whenever I find a missing key I 
> would go to virtuoso.org <http://virtuoso.org> because it does a good 
> job of caching keys?

I don't what virtuoso.org is.

I do know parties can friend, develop verifiable trust, work with WebID 
secured endpoints, use SSL, secure named graphs, and make signed claims. 
All using WebID.

>
>> Or making a new signed statement with your new key about equivalence.
> And where would that go?

In a data space that serves as my idp. The point here is that I have an 
x.509 cert in a keystore. I have a portable graph (you can retrieve you 
graphs from URIBurner anytime for instance and place somehwere else. You 
can sign the entire graph of make statements about statements that are 
also signed.
>
>> 	Remember, your Idp space should challenge you when making these claims.
>
> What is an IDP space? Google.com <http://Google.com>? Or any web site?

A data space is a place on a network where you read, write, update, and 
delete data. A place where you can hold claim mirrors. Basically the 
place where you manage graphs that provide other half of the double 
entry bookkeeping that drives the whole WebID verification protocol.

>
>> Bottom line here, we either have a WebID exploit via owl:sameAs or powerful lock-down. I know we have powerful lock down when you leverage refification and WebID based verifications of claims made in idp space. Thus, it still ultimately boils down to a life cycle demo, one that will emerge from Peter's exploits or one I'll knock up myself in the very worst case.
> It is worth describing in precise detail what you wish to do using UML 
> diagrams and precise stamens of what goes where before going to 
> program it. We all need to look at owl reasoning and trust reasoning. 
> It is an interesting field to explore.

Again, I haven't asked for anyone to implement this. I have simply asked 
for the WebID spec to acknowledge issues that arise when dealing with 
equivalence fidelity. Peter has come at the same issue from a different 
angle based on the loss of URI control scenario.

Why are you consistently misrepresenting and pretending to not 
understand what I am saying? I encourage you to not code and respond to 
my comments at the same time.

>
>> Yes, it needs to be fleshed out for broader clarity, which I guess is what Mo is seeking too. Thus, we have an action item along those lines re. effects of OWL reasoning, statement reification (which includes statement signing), and graph signing on the WebID verification protocol.
> there is a lot to look into there.

Yes, and again, all ask for re. the spec is cognizance of these matters!

The implementation relevance will show up in the Authorization space. In 
the RWW you'll see what we are on about. Make your apps and then come 
play ball on the RWW :)
>
>
> Social Web Architect
> http://bblfish.net/
>


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Received on Wednesday, 4 January 2012 01:09:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 4 January 2012 01:09:52 GMT