Re: Certificate Expiry

On 26 Jan 2012, at 14:55, Kingsley Idehen wrote:
> I mean, anyone is in a position to construct a resource access policy based on
> the credentials presented at resource access time. Thus, if I choose, I can
> decide to not accept identity associated with an expired certificate.

Nobody is denying that you can decide for each resource how secure and important 
it has to be. So most of my resources on bblfish.net are visible to everyone. I 
could put an  authorisation scheme in front of it, and then really completely 
ignore any results  of the authentication system - whatever that might well be, 
DNA fingerprinting or password, ... - because in the end I wanted the whole site 
to be public anyway. Or I could decide that if the person is not willing to try to 
access my resource with some identifying information, however true or false that 
information may be, I don't want to give them access. Or I could decide that I
only want people with browsers that have client side authentication to connect,
and that be all I care about. That is all fine and good.

But I think with our WebID Verifiers we are trying to at least play a game
where we are pretending the resource is something serious. These are the 
resources the military will be looking at to see which implementers are serious
and which are liabilities to be sold to the enemy/competition. If you think 
about large corporations as military organisations, then you can see the same 
being said of them. And also of course hackers, as they will enjoy pulling 
apart any claim to  security that does not stand up.


So of course military players set up honeypots where they allow people with 
false ids to log in, and they can even give them information that partially 
true,  because they can use the other's actions to trace the intention of the 
enemy. But we are not playing at that stage of the game yet, because we need
to first prove that our system is working under normal conditions. Nobody will
even bother with these advanced scenarios if that is not shown.

Henry

Social Web Architect
http://bblfish.net/

Received on Thursday, 26 January 2012 14:31:34 UTC