- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 26 Jan 2012 15:30:55 +0100
- To: Kingsley Idehen <kidehen@openlinksw.com>
- Cc: public-webid@w3.org
On 26 Jan 2012, at 14:55, Kingsley Idehen wrote: > I mean, anyone is in a position to construct a resource access policy based on > the credentials presented at resource access time. Thus, if I choose, I can > decide to not accept identity associated with an expired certificate. Nobody is denying that you can decide for each resource how secure and important it has to be. So most of my resources on bblfish.net are visible to everyone. I could put an authorisation scheme in front of it, and then really completely ignore any results of the authentication system - whatever that might well be, DNA fingerprinting or password, ... - because in the end I wanted the whole site to be public anyway. Or I could decide that if the person is not willing to try to access my resource with some identifying information, however true or false that information may be, I don't want to give them access. Or I could decide that I only want people with browsers that have client side authentication to connect, and that be all I care about. That is all fine and good. But I think with our WebID Verifiers we are trying to at least play a game where we are pretending the resource is something serious. These are the resources the military will be looking at to see which implementers are serious and which are liabilities to be sold to the enemy/competition. If you think about large corporations as military organisations, then you can see the same being said of them. And also of course hackers, as they will enjoy pulling apart any claim to security that does not stand up. So of course military players set up honeypots where they allow people with false ids to log in, and they can even give them information that partially true, because they can use the other's actions to trace the intention of the enemy. But we are not playing at that stage of the game yet, because we need to first prove that our system is working under normal conditions. Nobody will even bother with these advanced scenarios if that is not shown. Henry Social Web Architect http://bblfish.net/
Received on Thursday, 26 January 2012 14:31:34 UTC