security section from Henry Story on 2012-12-06 (public-webid@w3.org from December 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 6 Dec 2012 19:31:43 +0100
To: WebID Group <public-webid@w3.org>
Message-Id: <7EEB3BED-42F4-4CF0-9FEF-51D09B1FB436@bblfish.net>

I think we also should have a security section in the basic WebID spec.
Here are the two main issues I can think of.

 1. In order to avoid man in the middle attacks https SHOULD be enabled 
on the data for the main WebID PRofile and subsidiary related profile 
documents. Such man in the middle attacks could change information in someone's
profile, before it reaches the user such as a phone number, address or other
means of communicating with the person, such that people relying on it could
end up being mislead.

 2. this ties in with Privacy, so that related ACLed documents should (MUST?) 
be also protected with cryptographic TLS endpoints ( i.e., not 0 encryption )
or else man in the middle snooping is possible.

I am sure other issues will pop up.

Henry


Social Web Architect
http://bblfish.net/

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Thursday, 6 December 2012 18:32:19 UTC