New WebID spec out - fixes issues that came up from Henry Story on 2011-12-12 (public-identity@w3.org from December 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 12 Dec 2011 21:55:21 +0100
To: public-identity@w3.org
Cc: Edward O'Connor <eoconnor@apple.com>, Brad Hill <bhill@paypal-inc.com>
Message-Id: <99C8F2B2-4D7C-4641-ABF3-8284F3454E24@bblfish.net>

Hi all,

A month or so ago the WebID spec came up in discussions on this list. An older criticism by Brad Hill was mentioned and Edward O'Connor also joined in with some of his own points. Those issues were to be fair, ones arising out of what was a very incomplete and still badly written specification - I do have to admit. In the past month and a half since the discussion on this list, we have done some very serious work on the specification reworking a lot of the text, adding some much more detailed diagrams, and clearing up the misunderstandings we felt those had led to.

I invite you to please look again at the spec which is now up here

http://www.w3.org/2005/Incubator/webid/spec/
alias http://webid.info/spec

Perhaps just to take one point from Brad Hill's message [1]

> 1. The existing install base of TLS terminators cannot support the protocol

We have now in our diagram ( http://webid.info/spec#authentication-sequence ) distinguished between the TLS-Light Service and the Application level Guard. The TLS service is now clearly explained to be a normal TLS endpoint minus essentially Trust management. So I think the install base of TLS should be able to deal with this.

> 2. TLS terminators must communicate WebID context to apps

They only need to pass the certificate to what we name the Guard, which will pass the WebID claims to the WebID verifier.

> 3. Performance and scalability is terrible relative to server-auth-only TLS

Server-auth should require verification of client certificates. So there is not much loss and much to gain because of the growth
in distribution which CAs don't allow. Any other protocol needs something similar. We also allow these to be done in an asynchronous
way.

Anyway, I think these points now come out much more clearly in the specification.

Please let us know if there are other issues that you see. We welcome feedback.

Sincerely,

Henry Story, WebID Incubator Chair

[1] http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0127.html

Social Web Architect
http://bblfish.net/

Received on Monday, 12 December 2011 21:03:33 UTC